NAVAL  POSTGRADUATE  SCHOOL 
Monterey,  California 


55^ 


THESIS 


1 1 1C 


MAY  2  4  1995  ji 


AN  INTRUSION-DETECTION  TUTORING  SYSTEM  USING 
MEANS-ENDS  ANALYSIS 


Sandra  Jean  Schiavo 


March  1995 


Thesis  Advisor: 


Neil  C.  Rowe 


Approved  for  public  release;  distribution  is  unlimited. 


B50523  m 


rma  QUALirf  ihspictsd  8 


REPORT  DOCUMENTATION  PAGE 

Form  Approved 

0MB  No.  0704-0188 

Public  reporting  burden  for  this  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  reviewing  instructions,  searching  existing  data  sources 
gathering  and  maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  commerils  regarding  this  burden  estimate  or  any  other  aspect  of  this 
collection  of  information,  including  suggestions  for  reducing  this  burden  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson 

Davis  Highway,  Suite  1204,  Arlington,  VA  22202-4302.  and  to  the  Office  of  Management  and  Budget,  Paperwork  Reduction  Project  (0704-0188),  Washington,  DC  20503. 

1  ||g|||g|glllllllllllll^  liMf'nJM'n 

4.  TITLE  AND  SUBTITLE 

An  Intrusion-Detection  Tutoring  System  Using  Means-Ends  Analysis 

5.  FUNDING  NUMBERS 

Schiavo,  Sandra  Jean 

7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

Naval  Postgraduate  School 

Monterey,  CA  93943-5000 

8.  PERFORMING  ORGANIZATION 

REPORT  NUMBER 

9.  SPONSORING/  MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 

10.  SPONSORING/  MONITORING 

AGENCY  REPORT  NUMBER 

The  views  expressed  in  this  thesis  are  those  of  the  author  and  do  not  reflect  the  official  policy  or  position 
of  the  Department  of  Defense  or  the  United  States  Government. 

12a,  DISTRIBUTION  /  AVAILABIUTY  STATEMENT 

Approved  for  public  release;  distribution  is  unlimited. 

12b.  DISTRIBUTION  CODE 

This  research  designed  and  implemented  an  intelligent  tutoring  system  for  teaching  computer 
intrusion  detection  to  potential  or  current  system  administrators  of  computer  networks.  The  Intrusion- 
Detection  Tutoring  System  (IDTS)  is  an  intelligent  tutoring  system  built  using  Quintus  Prolog  and 
METUTOR  general-purpose  tutoring  software  written  by  Professor  Rowe.  The  operating  environment  of 
the  IDTS  is  a  virtual  one,  based  on  UNIX;  it  uses  some  common  UNIX  commands  and  file  hierarchy. 
After  both  student  and  tutor  analyze  a  static  audit  file  to  find  suspicious  and  or  malicious  behavior,  the 
student  tries  to  fix  the  damage,  and  the  computer  critiques  the  student’s  actions  using  means-ends  analysis. 
Using  its  nineteen  behavior  rules,  IDTS  can  classify  eleven  different  types  of  intruder  behavior  known  to 
exploit  system  vulnerabilities,  and  can  tutor  the  student  how  to  detect  this  behavior  and  how  to  efficiently 
return  the  system  to  a  secure  state  after  the  intrusion  has  occurred.  Four  different  audit  files  of  varying 
length  were  tested  with  IDTS.  IDTS  correctly  identified  most  intruder  behavior  in  both  manually  and 
computer  generated  audit  files,  and  showed  it  could  correctly  tutor  on  that  behavior. 

14.  SUBJECT  TERMS 

Intrusion  detection,  intelligent  tutor,  means-ends  analysis,  computer  security 

15.  NUMBER  OF  PAGES 

156 

16.  PRICE  diBE  ' 

17.  SECURITY  CLASSIFICATION  18.  SECURITY  CLASSIFICATION  19.  SECURITY  CLASSIFICATION 

OF  REPORT  OF  THIS  PAGE  OF  ABSTRACT 

Unclassified  Unclassified  Unclassified 

20.  LIMITATION  OF  ABSTRACT 

UL 

NSN  7540-01-280-5500  Standard  Form  298  (Rev.  2-89) 


rrcscnoeo  oy  mo. 


Approved  for  public  release;  distribution  is  unlimited 


AN  INTRUSION-DETECTION  TUTORING  SYSTEM 
USING  MEANS-ENDS  ANALYSIS 


Sandra  Jean  Schiavo 
Lieutenant,  United  States  Navy 
B.S.,  Virginia  Polytechnic  Institute  and  State  University,  1987 


Submitted  in  partial  fulfillment  of  the 
requirements  for  the  degree  of 

MASTER  OF  SCIENCE  IN  COMPUTER  SCIENCE 


Author: 


Approved  by: 


Timothy  J.  Shimeall,  Second  Reader 


Department  of  Computer  Science 


iii 


ABSTRACT 


This  research  designed  and  implemented  an  intelligent  tutoring  system  for  teaching 
computer  intrusion  detection  to  potential  or  current  system  administrators  of  computer 
networks.  The  Intrusion-Detection  Tutoring  System  (IDTS)  is  an  intelligent  tutoring 
system  built  using  Quintus  Prolog  and  METUTOR  general-purpose  tutoring  software 
written  by  Professor  Rowe.  The  operating  environment  of  the  IDTS  is  a  virtual  one,  based 
on  UNIX;  it  uses  some  common  UNIX  commands  and  file  hierarchy.  After  both  student 
and  tutor  analyze  a  static  audit  file  to  find  suspicious  and  or  malicious  behavior,  the  student 
tries  to  fix  the  damage,  and  the  computer  critiques  the  student’s  actions  using  means-ends 
analysis.  Using  its  nineteen  behavior  rules,  IDTS  can  classify  eleven  different  types  of 
intruder  behavior  known  to  exploit  system  vulnerabilities,  and  can  tutor  the  student  how  to 
detect  this  behavior  and  how  to  efficiently  return  the  system  to  a  secure  state  after  the 
intrusion  has  occurred.  Four  different  audit  files  of  varying  length  were  tested  with  IDTS. 
IDTS  correctly  identified  most  intruder  behavior  in  both  manually  and  computer  generated 
audit  files,  and  showed  it  could  correctly  tutor  on  that  behavior. 
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1.  INTRODUCTION 


Computer  security  of  software  and  data  is  a  difficult  and  never-ending  problem 
requiring  both  manual  and  automated  controls.  A  key  part  of  the  manual  controls  is  the 
system  administrator  who  is  responsible  for  not  only  ensuring  that  the  system  is  fully 
operational  but  also  that  it  is  secure.  This  person,  in  addition  to  learning  day-to-day 
operation  of  the  computer  network,  will  have  to  learn  about  computer  security  either  by 
reading  about  it  or  through  trial  by  fire.  This  trial-by-fire  method  of  learning  about  security 
can  be  potentially  damaging  to  the  company  financially  or  to  national  security  in  the  case 
of  the  military  unit  because  security  problems  can  be  infrequent,  although  very  damaging 
when  they  do  occur.  There  has  to  be  or  should  be  a  better  way  to  learn  about  system 
administrator  duties  particularly  security  issues. 

Formal  computer  security  courses  are  available,  but  can  be  time  consuming  and  cost 
prohibitive  for  some  smaller  organizations.  What  would  be  helpful  is  an  automated 
intmsion-detection  tutoring  system  that  could  teach  the  user  about  system  security  duties 
and  how  to  identify  an  intruder  from  an  audit  trail.  This  type  of  intrusion-detection  tutoring 
system  would  allow  the  user  to  learn  about  intruder  behavior  at  their  own  convenience  and 
pace,  and  possibly  expedite  the  learning  process.  This  thesis  presents  the  Intrusion- 
Detection  Tutorial  System  (IDTS),  which  is  an  automated  intelligent  tutoring  system 
focussing  on  intrusion  detection. 

IDTS,  described  herein,  is  built  using  Quintus  Prolog  and  mns  on  top  of  the 
metutorSO  application,  wntten  by  Professor  Rowe,  which  uses  intrusion-detection  software 
and  means-ends  analysis  to  actually  perform  the  tutoring.  IDTS  was  specifically  designed 
to  tutor  potential  or  current  computer  system  administrators  in  the  area  of  intrusion 
detection.  The  operating  system  environment  of  IDTS  is  a  virtual  one,  based  on  UNIX;  it 
uses  some  common  UNIX  commands  and  its  file  hierarchy.  After  both  student  and  tutor 
analyze  a  static  audit  file  to  find  suspicious  and  or  malicious  behavior,  the  student  tries  to 
fix  the  damage,  and  the  computer  critiques  the  student’s  actions  using  means-ends  analysis. 
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The  contents  of  this  thesis  are  as  follows.  Chapter  11  will  present  related  work  in 
intelligent  tutoring  systems  and  means-ends  analysis.  Chapter  III  will  discuss  intrusion 
detection  and  automated  systems  to  detect  intruders,  specifically  the  Next-Generation 
Intrusion  Detection  Expert  System  (NIDES)  developed  at  SRI  International,  Menlo  Park, 
CA.  Chapter  IV  will  introduce  IDTS  and  take  an  in-depth  look  at  its  actual  components. 
It  will  present  the  virtual  computer  operating  environment  of  IDTS,  specifically  the  file 
hierarchy,  the  audit  file,  the  UNIX  commands  used,  and  the  assumptions  and  decisions 
made  during  its  design.  It  will  also  discuss  the  relationships  between  each  of  the 
components  as  well  as  additional  required  programs  written  by  others.  Chapter  V  will 
discuss  the  performance  of  the  IDTS,  specifically  behaviors  detected,  space  requirements, 
and  CPU  runtime.  Chapter  VI  will  summarize  aU  of  the  above,  and  will  discuss  the 
weaknesses  of  the  IDTS.  It  will  also  make  recommendations  for  improving  the  existing 
IDTS  application.  Finally,  two  appendices  have  been  included.  Appendix  A  contains  the 
source  code  for  IDTS,  and  Appendix  B  contains  script  runs  of  IDTS,  testing  four  separate 
input  audit  files. 
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11.  INTRODUCTION  TO  MEANS-ENDS  ANALYSIS  AND 
INTELLIGENT  TUTORING  SYSTEMS 


A.  MEANS-ENDS  ANALYSIS 

Means-ends  analysis  attempts  to  solve  a  a  search  problem  through  abstraction  by 
taking  the  difference  between  the  current  state  and  the  goal  state  and  applying  a 
recommended  operator.  In  order  to  apply  a  recommended  operator,  some  preconditions 
must  be  met.  The  results  of  applying  an  operator  are  postconditions,  which  are  added  to 
the  state.  It  is  also  possible  that  by  applying  an  operator,  conditions  may  be  deleted  from 
the  state.  Means-ends  analysis  is  a  recursive  search;  therefore,  it  will  continue  to  apply 
operators,  check  preconditions,  add  postconditions,  and  delete  postconditions,  until  the 
difference  between  the  state  and  the  goal  is  the  empty  set.  In  an  implementation  of  means- 
ends  analysis,  the  recommended  operators  are  stored  as  recommended  facts,  the 
preconditions  as  precondition  facts,  the  postconditions  as  addpostcondition  facts,  and  the 
deleted  postconditions  as  deletepostcondition  facts  [Ref.  1].  For  an  in-depth  explanation 
of  means-ends  analysis,  see  [Ref.  1,  pp.  263  -  281]. 

B.  INTELLIGENT  TUTORING  SYSTEMS 

Intelligent  tutoring  systems  offer  an  attractive  and  efficient  way  to  learn,  since  the 
emphasis  is  on  learning-by-doing:  converting  factual  knowledge  into  experiential 
knowledge  [Ref.  2,  p.  1].  They  provide  an  interactive  simulation  for  the  student  to  learn 
procedural  skills,  and  a  friendly  environment  in  which  the  student  can  back-up  and  redo 
actions.  There  are  also  similar  intelligent  tutoring  systems  that  provide  a  shell  for  “role- 
performance”  skills  that  are  the  same  as  procedural  skills  [Ref.  3].  Both  “role- 
performance”  and  procedural  skills  are  type  of  skills  the  student  learns  by  completing  a 
series  of  discrete  actions.  An  example  of  a  procedural  skills  intelligent  tutoring  system  is 
PEXIE,  described  in  [Ref.  4].  It  is  an  expert  system  shell  for  teaching  rule-based  systems. 
It  has  features  for  knowledge  representation  and  for  defining  inference  rules  in  the  domain. 
There  are  also  tutoring  strategy  rules  present  in  PIXIE.  Regardless  of  the  implementation. 
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all  intelligent  tutoring  systems  will  require  a  large  predefined  task  structures  library  used 
to  store  the  components  of  the  tutoring  strategies  to  be  designed  by  the  teacher  or  expert. 

IDTS  uses  the  intelligent  tutoring  system  METUTOR  to  tutor  the  student  in 
intrusion  detection.  METUTOR,  like  PIXIE,  is  a  procedural  skills  tutoring  system  and  uses 
mean-ends  analysis  to  tutor  the  student  using  the  recommended  operator  predicates 
described  above.  A  procedural  intelHgent-tutoring  system,  like  METUTOR,  is  suited  to 
intrusion  detection  because  the  task  of  finding  intruders  and  correcting  the  damage  they 
cause  is  procedural  in  nature. 
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in.  AN  INTRODUCTION  TO  INTRUSION  DETECTION 


Today  it  is  not  uncommon  to  pick  up  a  newspaper  or  magazine  and  read  that 
someone  has  broken  into  the  computer  system  of  a  major  company  or  university.  The 
reasons  why  someone  breaks  into  a  computer  system  are  numerous.  Some  do  it  just  for  the 
mere  thrill  of  it,  while  others  do  it  to  cause  problems  within  the  computer  system  like 
inserting  a  virus.  More  and  more  intruders,  however,  are  doing  it  for  monetary  gain. 
“Cybercrime”  is  on  the  rise,  and  current  laws  do  not  apply  well  at  all  to  computer  crimes 
[Ref.  5]. 

According  to  Lunt  in  [Ref.  6], “timely  detection  of  unauthorized  intruders  into 
computers  and  computer  networks  is  a  problem  of  increasing  concern.”  Regardless  of  the 
reason  for  computer  intrusion,  detecting  this  intruder  behavior,  whether  it  is  an  external 
penetration  or  an  insider  attack,  should  be  of  the  utmost  importance  to  any  system 
administrator.  There  are  several  software  intrusion-detection  tools  available  to  a  system 
administrator  as  well  as  hardware  tools;  both  types  of  tools  require  analysis  of  audit  trail 
information  as  stated  in  [Ref.  7]. 

A.  INTRUSION-DETECTION  SOFTWARE  TOOLS 

1.  Expert  Systems 

In  an  intrusion-detection  expert  system,  there  are  a  set  of  rules  based  on  the 
“expert’s”  knowledge  of  the  intruder’s  behavior  used  to  analyze  the  contents  of  the  audit 
trail.  If  behavior  exists  in  the  audit  trail  matching  the  any  of  the  rules,  then  some  alarm  is 
triggered.  In  addition  to  these  rules  based  on  past  intrusions,  known  as  system 
vulnerabilities,  there  are  also  rules  corresponding  to  anomalous  behavior.  User  profiles  are 
maintained  on  legitimate  users  on  the  system,  and  if  there  is  any  deviation  from  their 
established  pattern,  due  to  an  intruder  using  the  account,  then  it  is  considered  an  anomalous 
detection  [Ref.  9].  A  well-known  intrusion-detection  expert  systems  is  described  in  the 
following  section. 
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2.  Next-Generation  Intrusion  Detection  Expert  System  (NIDES) 

NIDES  is  a  real-time  intrusion-detection  expert  system  developed  at  SRI 
International,  Menlo  Park,  CA,  and  it  provides  a  good  example  of  a  class  of  similar 
systems.  Its  predecessor,  Intrusion-Detection  Expert  System  (IDES),  has  been  the  basis  for 
most  intrusion  detection  research  to  date,  and  it  forms  the  conceptual  basis  for  several  other 
intrusion-detection  software  tools  [Ref.  7].  NIDES  is  system  independent,  and  is  able  to 
process  the  audit  trail  information  from  a  target  system.  It  uses  expert-system  rules, 
modeled  for  different  types  of  intruder  behavior,  to  detect  intruders  regardless  if  they  are 
external  penetrators,  internal  penetrators,  or  misfeasors.  When  intruder  behavior  is  detected 
based  on  these  rules,  an  alarm  is  raised.  For  the  masquerader  intruders,  NIDES  maintains 
statistical  profiles  of  past  user  behavior.  If  the  user’s  activities  vary  from  the  established 
behavior  pattern,  referred  to  as  an  anomalous  detection,  then  NIDES  also  sounds  an  alarm 
[Ref.  6]. 

B.  PROBLEMS  IN  INTRUSION  DETECTION 
1.  Audit  Trail  Overhead  and  Reduction 

Since  IDTS  is  based  on  UNIX,  we  will  discuss  its  auditing  facilities.  Depending  on 
the  version  of  UNDC  used,  either  Berkeley  or  System  V,  all  will  maintain  log  files.  These 
log  files  form  the  basis  of  UNIX’s  auditing  system.  A  determined  system  administrator 
may  find  unauthorized  and  or  suspicious  behavior  by  reviewing  these  log  files.  All 
versions  of  UNIX  maintain  the  following  log  files  [Ref.  8,  p.  125]: 

•usr/adm/lastlog  Logs  each  user’s  most  recent  login  time 
•etc/utmp  Logs  a  record  each  time  a  user  logs  in. 

•/usr/adm/wtmp  Logs  a  record  each  time  a  user  logs  in  or  logs  out. 
•/usr/adm/acct  Logs  every  command  run  by  every  user. 

Depending  on  the  number  of  users,  the  information  gathered  in  these  four  fUes  can 
be  an  enormous  amount  of  information  for  a  system  administrator  to  wade  through.  In 
[Ref.  6],  Lunt  says  that  the  far  too  much  information  is  collected  to  be  useful  to  determine 
if  intruders  are  present,  and  that  information  that  could  be  used  in  find  intruders  is  not 
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collected.  Reducing  the  amount  of  audit  trail  information  and  deciding  which  information 
to  keep  is  an  on-going  research  problem  in  intrusion  detection. 

2.  Behavior  Classification 

A  big  problem  with  automated  intrusion-detection  systems  is  that  they  may 
incorrectly  classify  user  behavior.  There  are  “false  negatives”  when  an  intruder  is 
classified  as  a  legitimate  user,  and  “false  positives”  when  a  user  is  mistakenly  called  an 
intruder. 


3.  Intrusion  Detection  Training 

Although  automated  intrusion-detection  systems,  like  NIDES,  make  a  system 
administrator’s  life  easier,  it  is  still  up  to  them  to  make  the  final  call  whether  suspicious 
behavior  in  an  audit  file  belongs  to  an  intruder.  This  is  especially  true  in  NIDES,  since 
when  a  user’s  profile  is  first  being  trained  there  are  several  false  positive  alerts.  In  these 
cases,  the  system  administrator  must  intervene  and  reset  the  intrusion-detection  system. 
This  is  one  of  the  reasons  NIDES  was  not  used.  Regardless  if  an  automated  intrusion- 
detection  tool  is  used,  the  system  administrator  must  be  knowledgable  in  intrusion 
detection  and  know  what  to  do  if  an  intrusion  has  occurred.  Cleaning-up  after  an  intruder 
attack  is  something  an  automated  system  will  not  teach  a  system  administrator. 

The  rules  in  most  intrusion-detection  systems,  like  in  NIDES,  are  modeled  for  real¬ 
time  detection,  and  do  not  teach  any  basic  system  administrator  skills  such  as  storing 
backup  tapes  once  they  are  done  using  them.  What  is  needed  is  a  tutor  to  teach  an 
administrator  not  only  how  to  detect  intruder  behavior,  but  what  to  do  after  an  intruder  has 
penetrated  their  system  and  about  basic  system  administrator  duties.  IDTS  is  capable  of 
both  teaching  the  student  how  to  detect  intruder  behavior  and  how  to  fix  the  damage  caused 
by  the  intruder.  Also  with  IDTS,  there  are  rules  that  focus  on  basic  system  administrator 
skills  which  are  well-documented  in  system  administrator  books  and  reports.  IDTS  is 
described  in  the  following  chapter. 
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IV.  THE  INTRUSION-DETECTION  TUTORING  SYSTEM  (IDTS) 


IDTS  is  an  intelligent  tutoring  system  written  in  Quintus  Prolog.  It  runs  on  top  of 
the  metutorSO  application,  written  by  Professor  Rowe,  which  provides  means-end  analysis 
of  student  actions  and  general-purpose  rules  for  tutoring.  It  can  be  run  in  any  operating 
system  environment  which  has  a  Quintus  Prolog  compiler  installed. 

A.  OPERATION  OF  IDTS 

Upon  executing  IDTS,  the  user  is  shown  an  audit  file  and  the  mail  messages 
received  by  root  for  a  virtual  computer  system.  It  is  up  to  the  user  to  choose  which  actions 
to  perform  based  on  the  audit  file  contents.  The  tutoring  system  will  know  the  best 
recommended  way  to  approach  the  intruder  behavior  present  in  the  audit  trail  and  prevent 
it  from  occurring  again.  If  the  user  chooses  an  inappropriate  action,  the  tutor  will  notify  the 
user  that  a  more  appropriate  action  exists.  If  the  chosen  action  is  appropriate,  but  there  is 
a  more  important  action  to  perform,  the  tutor  will  give  a  hint  to  the  user.  The  tutor  will  only 
end  the  lesson  when  the  user  has  corrected  any  and  all  security  problems  present  in  the  audit 
file,  although  the  user  can  quit  before  completing  the  tutorial.  The  details  of  how  IDTS 
accomplishes  the  tutoring  and  its  components  will  be  explained  later  in  this  chapter; 
however,  before  the  actual  components  of  IDTS  can  be  understood,  the  virtual  environment 
in  which  it  operates  must  be  explained. 

B.  THE  VIRTUAL  ENVIRONMENT  OF  IDTS 

The  virtual  computer  environment  modeled  for  this  tutoring  system  is  based  on  the 
UNIX  operating  system.  It  was  chosen  due  to  its  known  security  flaws  and  its  widespread 
use,  especially  in  the  academic  community.  Although  commands  found  in  the  audit  trail 
are  UNIX  commands,  several  liberties  and  assumptions  about  them  were  made  to 
accommodate  the  tutoring  system.  The  goal  of  this  tutor  is  not  to  make  the  user  an  expert 
on  UNIX,  but  to  make  them  aware  of  the  types  of  behaviors  that  hard-core  hackers  and  even 
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casual  hackers  use  to  disrupt,  corrupt,  or  abuse  time  on  a  given  system.  Some  familiarity 
with  UNIX,  however,  would  be  beneficial  to  the  user,  but  is  not  required. 

1.  File  Hierarchy 

The  files  used  in  IDTS  are  virtual  files,  that  is,  they  do  not  exist.  By  a  virtual  file 
what  is  meant  is  the  file  has  a  name,  size,  directory  in  which  it  resides,  time  it  was  last 
modified,  permissions,  type,  and  owner,  but  there  is  no  actual  content  to  the  file. 

a.  System  Files 

As  in  any  UNIX  system,  we  have  virtual  system  files  like  in  a  typical  UNIX 
environment.  These  system  files  are  owned  by  the  system  administrator  who  will  be  called 
root.  For  simplicity  sake,  only  a  few  of  the  major  system  files  that  are  known  to  most  users 
have  been  used. 

b.  User  Files 

It  is  important  that  our  virtual  world  include  the  most  tempting  system  files 
like  “passwd”  and  those  files  located  in  the  “bin”  directory  belonging  to  root,  but  user  files 
are  also  present  for  a  more  realistic  environment.  The  files  are  stored  just  as  they  would  be 
in  a  UNIX  environment.  Each  user  has  a  subdirectory  under  root’s  directory  named 
“users.”  Each  user  can  then  create  and  own  as  many  files  and  subdirectories  as  they  desire. 
Figure  1  shows  an  example  of  what  a  file  directory  tree  in  this  modeled  environment  might 
look  like. 


c.  Operations  on  Files 

Like  the  files  themselves,  operations  on  the  files  are  virtual.  If  the  audit  file 
were  to  show  that  a  user  edited  a  file,  the  only  parts  of  the  file  description  which  would 
change  would  be  the  file’s  size  and  last  time  modified.  When  a  file  is  created  or  deleted,  a 
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new  file  description  is  created  and  placed  in  the  database  or  the  file  information  is  removed 
from  the  database  respectively. 

/  (root) 

1  ^  r 

bin  etc  users  tmp  lib 


adams  brown  doe  smith 


graphics  personal  goodies  courses 

I 

CS3700 

Figure  1:  Example  of  Directory  Tree 


2.  Audit  File 

The  pseudo-UNIX  operating  system  audit  trail  in  the  virtual  computer  system  of  IDTS 
is  not  as  sophisticated  as  a  true  UNIX  operating  system.  There  are  only  five  pieces  of 
information  stored  in  each  record  of  the  audit  file:  user  name,  time,  current  directory,  UNIX 
command  issued,  and  the  result  of  issuing  the  particular  UNIX  command.  Figure  2  is  an 
example  listing  of  the  audit  file. 

This  file  is  a  simplified  consolidation  of  the  four  log  files  included  a  UNIX  computer 
system.  To  assist  the  user,  extra  information  not  available  in  a  true  UNIX  system  is  also  in  the 
audit  file:  the  arguments  of  commands  issued  and  the  directory  in  which  they  were  issued 
[Ref.  8,  p.  130].  Additionally,  the  result  of  the  command  executed  is  given:  if  the  command 
is  unsuccessfully  executed,  this  is  “fail;”  if  a  file  is  created  or  modified,  this  is  the  size  of  the 
resulting  file  in  bytes;  if  a  mail  message  is  sent,  this  is  the  message  itself;  otherwise,  this  is 
“ok.” 
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Name 

Time 

Path 

Command 

Result 

brown 

1030 

none 

login  brown 

fail 

brown 

1031 

none 

login  brown 

fail 

brown 

1032 

none 

login  brown 

fail 

brown 

1033 

none 

mail  root 

bad(password, brown) 

doe 

8982 

none 

login  doe 

ok 

doe 

9315 

doe 

emacs  bigpaper 

29947 

doe 

9335 

doe 

emacs  csproject 

1024 

doe 

9352 

doe 

Is 

ok 

doe 

9360 

doe 

emacs  csproject 

4096 

doe 

9373 

doe 

mail  root 

bad(ls,bin) 

doe 

9375 

doe 

mail  root 

bad(doefile,doe) 

doe 

9379 

doe 

logout 

ok 

jones 

910 

jones 

su 

fail 

jones 

910 

none 

login  jones 

ok 

jones 

911 

jones 

su 

fail 

jones 

912 

jones 

su 

fail 

jones 

920 

jones 

su 

ok 

jones 

921 

root 

cd  --farmer 

ok 

smith 

859 

none 

login  smith 

ok 

smith 

900 

smith 

cd  etc 

ok 

smith 

901 

etc 

cp  passwd  --smith 

ok 

smith 

902 

etc 

logout 

ok 

Figure  2:  Example  Audit  File  Listing 


a.  Concept  of  T ime 

Time  (t)  is  represented  as  an  increasing  integer  value  starting  at  the  value 

one  (t=l). 

3.  UNIX  Commands  Recognized  by  IDTS 
a.  Logins 

The  login  command  as  it  appears  in  an  IDTS  audit  file  can  be  seen  in  Figure 
2  as  login  <username>.  For  simplicity,  it  is  assumed  that  a  user  can  login  legitimately 
only  once  in  the  IDTS  virtual  UNIX  environment.  This  restriction  assists  with  determining 
if  a  user  s  password  has  been  compromised  when  a  user  is  logged  in  twice  and  there  is  no 
logout  between  the  two  login  times. 


b.  Su  Command 

The  su  or  super-user  command  allows  a  user  to  shut  down  the  system, 
terminate  any  process,  create  new  accounts,  change  any  account’s  password,  or  read,  write, 
or  delete  any  file  on  the  entire  system  regardless  of  its  permissions  [Ref.  10,  p.  35].  An 
intruder  will  either  try  to  login  directly  as  the  super-user  root,  or  simply  attempt  to  execute 
the  su  command  from  within  another  user  account.  If  an  intmder  is  successful  at  becoming 
the  super-user,  the  consequences  could  be  grave. 

In  IDTS  it  is  assumed  that  root  is  the  only  user  who  should  know  the  root 
password  to  execute  the  su  command  successfully;  therefore,  if  the  su  command  is 
successfully  executed  by  a  user  other  than  root,  then  the  root  password  has  been 
compromised.  This  assumption  is  an  unreasonable  restriction  for  root  in  a  tme  UNIX 
operating  environment,  since  the  user  who  is  root  would  not  be  able  to  execute  this 
command  in  any  directory  other  than  their  own.  But  this  restriction  teaches  the  user  that  an 
intmder  will  try  everything  in  their  power  to  become  root 

c.  File  Commands 

There  are  three  types  of  file  commands  modeled  in  IDTS:  copying,  editing/ 
creating,  and  deleting  files.  In  the  audit  file  the  command  used  for  copying  a  file  is  the 
UNIX  cp  command  which  takes  two  arguments,  the  file  being  copied  and  the  location  to 
which  it  will  be  copied.  The  editing/creating  a  file  command  is  the  UNIX  emacs  command 
which  takes  one  argument,  the  file  to  be  edited  or  created.  The  command  used  to  delete  a 
file  is  the  UNIX  rm  command  which  takes  one  argument,  the  file  to  be  deleted. 

Two  assumptions  have  been  made  in  the  area  of  file  manipulation  for  IDTS: 
a  user  must  be  located  in  the  same  directory  of  the  file  they  wish  to  manipulate,  and  the  only 
editor  available  in  IDTS’s  virtual  UNIX  operating  environment  is  emacs. 

C.  PROGRAM  OVERVIEW 

IDTS  code  consists  of  one  main  program  and  eight  primary  submodules.  Appendix 
A  contains  the  source  code  for  these  modules.  Three  of  the  eight  submodules  for  this  tutor 
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were  written  by  Professor  Rowe.  These  three  modules  are  metutorSO,  megraphSO,  and 
filetree.  The  last  two  modules  provide  an  XWindows  graphical  user  interface. 

1.  The  Tutoring  System  Design 

The  tutor  program  requires  six  modules:  intruder,  metutorSO,  rules,  operators,  files, 
and  a  test  auditfile.  Figure  3  shows  the  relationship  between  all  IDTS  modules. 


Command  Flow 
Data  Flow  ^  _ _ 


Figure  3:  Relationships  Between  IDTS  Modules 


The  intruder  module  is  the  main  program,  and  it  initializes  the  system  and  passes 
the  start_state  and  goal  of  the  tutoring  system  to  the  metutorSO  module  which  determines 
how  to  tutor  the  user.  The  rules  module  contains  all  of  the  rules  used  to  detect  intruder 
behavior  based  upon  the  auditfile  contents.  The  operators  module  holds  all  possible 
student  operators/actions  in  the  form  of  Prolog  facts  for  recommended,  precondition, 
addpostcondition,  and  deletepostcondition  conditions.  These  four  predicates  are  used  by 
the  metutorSO  module  to  tutor  the  student. 

The  audifile  contains  audit  facts  that  are  either  generated  by  the  threat  modeling 
program  developed  by  LT  Christopher  Roberts  described  in  [Ref.  11],  or  are  manually 
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written.  To  avoid  unnecessary  problems  for  the  student,  this  file  is  a  static  file,  unlike  the 
real  world  where  the  audit  trail  is  dynamic.  Otherwise,  for  example,  right  at  the  moment 
the  user  has  selected  an  action  to  get  rid  of  a  certain  behavior,  another  audit  trail  fact  could 
add  another  behavior  to  the  state  which  needs  to  be  removed.  The,  files  file  is  comprised  of 
file  facts  which  contain  the  initial  virtual  file  hierarchy  and  insecure_password  facts 
which  tell  the  tutor  the  users  who  have  insecure  passwords.  The  file  facts  are  dynamic, 
and  may  be  created,  modified,  or  deleted  based  on  the  actions  in  the  auditfile. 

D.  DATA  STRUCTURES 

1.  File  Facts 

a.  System  Files 

The  data  structure  for  files  in  the  virtual  computer  system  are  in  the  form  of 
a  seven  argument  predicate  called  file.  The  following  is  an  example  of  the  file  predicate: 

file(<filename>,<directory>,<owner>,<size>,<type>,<protection>,<time>), 

where 

<filename>  is  any  acceptable  UNIX  filename; 

<directory>  is  any  acceptable  UNIX  directory; 

<owner>  is  the  name  of  a  user  on  the  system  and  owner  of  this  file; 

<size>  is  an  integer  and  the  size  of  the  file  in  bytes; 

<  type>  is  the  type  of  the  file,  either  executable  or  text; 

<protection>  are  the  acceptable  UNIX  permissions  for  the  file; 
and  <time>  is  the  time  the  file  was  last  modified  by  the  <owner>. 

The  seven  arguments  are  the  typical  information  one  might  see  as  a  result  of 
using  the  Is  command  in  a  UNIX  environment  or  dir  in  a  DOS  environment. 

b.  Derived  Files 

There  are  three  different  types  of  derived  file  facts:  deleted_dir, 
deleted_file,  and  modified_file  facts.  They  are  derived  by  means  of  the  checkfiles 
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subroutine  in  the  intruder  module  which  loops  through  all  of  the  audit  file  facts  and  applies 
any  deletions  of  files  and  or  directories  and  any  modifications  to  the  existing  system  files. 
Their  arguments  are  the  same  as  those  of  the  regular  system  file  facts. 

2.  Audit  File  Facts 

a.  Audit  Facts 

The  only  data  structure  stored  in  the  auditfile  is  the  audit  fact.  The  form  of 
these  facts  is  as  follows: 

audit(<user>,<time>,<directory>,<command>,  <result>). 

where 

<user>  is  the  name  of  a  user  in  the  system; 

<time>  is  the  time  the  <user>  executed  the  particular  <command>; 

<directory>  is  the  name  of  the  current  directory  the  <user>  is  located  in; 

<command>  is  any  acceptable  UNIX  command; 
and  <result>  is  the  result  of  executing  the  particular  <command>,  either  “ok,”  “fail,” 

“bad(<filename>,<directory>),”  or  an  integer  indicating  the  new  size  of  the  file  named  in 
the  <command>. 

b.  Behavior  Facts 

The  four  and  five  argument  behavior  facts  are  derived  from  the  audit  facts 
by  applying  the  behavior  rules  in  the  rules  module.  The  four  argument  behavior  facts  are 
of  the  form: 

behavior(<intruder>,<crime>,<start>,<end>). 

where 

<intruder>  is  a  string  and  the  name  of  the  user  in  the  system  suspected  of  the  <crime>; 
<crime>  is  a  string  representing  the  type  of  suspicious  or  malicious  behavior  the 
<intruder>  is  accused  of; 

<start>  is  an  integer  and  the  time  the  <crime>  became  noticeable; 

<end>  is  an  integer  and  the  time  that  the  <crime>  ended. 
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The  five  argument  behavior  fact  is  the  same  as  the  four  argument  behavior 
fact  except  that  it  has  an  extra  argument  called  <object>.  The  form  of  the  five  argument 
behavior  facts  is  as  follows: 

behavior(<intruder>,<crime>,<object>,<start>,<end>). 

The  <object>  argument  is  a  string  and  the  name  of  an  object,  either  a  file’s  name  or  user’s 
password,  that  has  been  altered  by  the  <crime>  the  <intruder>  is  suspected  of. 

c.  Mail  Facts 

Like  the  four  and  five  argument  behavior  facts,  mail  facts  are  also  derived 
from  the  auditfile  audit  facts.  The  mail  fact  contains  a  complaint  from  a  user  to  root  about 
a  file  in  a  directory  or  a  password  of  a  given  user.  The  complaint  may  be  that  a  file  has  been 
modified,  deleted,  or  that  something  strange  occius  when  the  given  file  is  executed.  K  the 
complaint  concerns  a  user’s  password,  it  means  that  the  password  has  been  changed  by 
another  person,  possibly  an  intruder.  An  assumption  is  made  that  a  user  can  send  a  mail  to 
root  even  though  their  password  has  been  changed.  The  mail  facts  are  initially  stored  in 
the  following  data  structure  in  the  audit  file  in  the  <result>  argument  of  the  audit  fact: 

bad(<filename>,<directory>).or  bad(password,<user>). 

where 

<filename>  is  the  name  of  a  file  in  the  system; 

<directory>  is  the  name  of  the  directory  in  which  this  particular  file  resides; 
and  <user>  is  the  name  of  a  user  on  the  system.  This  data  structure  is  changed  by  the 
checkfiles  routine  into  another  form  and  is  stored  in  the  database  as: 
mail(<from>,<to>,<time>,<message>). 

where 

<from>  is  the  name  of  the  user  who  sent  the  <message>; 

<to>  is  the  name  of  the  user  who  receives  the  <message>; 

<time>  is  the  time  the  <message  was  sent  by  <from>; 
and  <message>  is  the  mail  message  in  the  same  form  as  the  bad  predicate. 
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3.  Miscellaneous  Facts 


a.  Insecure _Password  Facts 

The  insecure_password  fact  is  a  simple  data  structure  which  is  part  of  the 
initial  files  IDTS  uses  to  initialize  the  system.  They  let  the  tutoring  system  know  which 
users  have  insecure  passwords.  These  facts  are  contained  in  files  module.  Their  data 
structure  is  as  follows: 

insecure_password(<user>). 
where  <user>  is  the  name  of  any  user  in  the  system. 

E.  IDTS  MAIN  MODULE  -  INTRUDER 

1.  Initializing  the  Start  State 

In  order  to  run  IDTS,  the  start_state  of  the  tutor  must  be  initialized.  This  is 
accomplished  by  the  subroutine  checkfiiles  in  the  intruder  module.  The  checkfiiles 
subroutine  is  called  by  the  main  outer  loop  start  of  the  tutor.  Start  not  only  calls  checkfiiles, 
but  is  also  displays  the  audifiile  and  mail  received  by  root,  asserts  a  graphicsflag,  and  calls 
the  main  loop  go  of  the  metutorSO  module. 

a.  Checkfiles 

The  checkfiiles  subroutine  systematically  loops  through  the  audifiile 
“looking”  at  every  audit  fact.  Figure  4  shows  how  this  is  done.  Depending  on  the 
command  in  the  audit  fact,  either  nothing  is  done  or  one  of  the  seven  subroutines  in 
checkfiiles  is  executed.  These  seven  subroutines  will  now  be  described. 

The  rm_star  subroutine  deletes  all  files  in  a  given  directory  by  asserting  a 
deleted_file  fact  in  the  database  for  each  file  fact  in  the  directory  where  the  ‘”rm 
^’’command  is  issued.  To  simulate  the  action  of  actually  deleting  a  file,  rm  star  then 
retracts  each  file  fact  in  the  given  directory.  By  first  asserting  the  deleted_file  fact  in  the 
database,  the  original  seven  arguments  of  the  file  fact  are  preserved.  Preserving  these 
arguments  is  necessary  if  a  deleted  file  is  to  be  restored  from  backup. 
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Figure  4:  Checkfiles  Routine 

The  file_deleted  subroutine  handles  a  command  argument  in  an  audit  fact 
of  the  form  “rm  Filename,”  where  Filename  is  any  existing  file.  Like  rm_star,file_deleted 
asserts  a  deleted_file  fact,  and  then  simulates  deleting  the  fUe  by  retracting  the  file  fact.  In 
dirjdeleted  a  deleted_dir  fact  is  asserted  vice  a  deleted_file  fact. 

If  an  audit  fact  has  the  command  argument  “emacs  Filename”  then  the 
suhiomine  filejnodified  asserts  a  niodified_file  fact  in  the  database  for  “Filename,”  thus 
preserving  the  original  state  of  the  file  in  case  it  needs  to  be  restored  from  backup  later. 
The  original  file  fact  is  then  retracted  and  a  new  file  fact  with  the  modified  size  and  time  is 
asserted.  If  the  same  file  is  modified  more  than  one  time  in  the  audit  file,  the  second  time 
it  is  modified,  that  is  the  command  “emacs  Filename”  is  issued  more  than  once,  the 
suhrounne  filejnodified  will  fail.  The  reason  for  this  failure,  is  only  one  modified_file  fact 
should  be  asserted  into  the  database,  since  there  can  only  be  one  set  of  file  arguments  to  use 
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to  restore  from  backup.  It  should  be  noted  that  the  current  state  of  the  file  will  always 
reflect  the  most  recent  modifications. 

The  newjile  subroutine  handles  the  case  when  a  file  is  created,  or  if  an 
audit  fact  has  a  command  argument  of  the  form  “emacs  Filename,”  where  Filename  is  any 
non-existing  file.  A  new  file  fact  is  asserted  into  the  database.  Five  of  the  seven  file  fact 
arguments  are  taken  directly  from  the  audit  fact:  Filename,  Directory,  User,  Size,  and 
Time.  The  Type  and  Protection  arguments  of  the  new  file  fact  are  given  the  default  values 
of  “text”  and  “-rw-r— r--”  respectively. 

The  copied Jile  subroutine  creates  a  new  file  in  the  given  path  with  the  same 
size,  type,  protection,  and  time  last  modified  as  the  original.  The  filename,  directory,  and 
owner  may  vary.  The  file  may  be  copied  to  another  directory  in  the  same  account  as  the 
file  being  copied,  or  it  may  be  copied  to  another  account;  the  subroutines  samejjccount  and 
dijferent_ciccount  handle  these  situations  respectively.  A  new  file  fact  is  asserted  in  the 
database. 

Finally,  the  subroutine  mail_recvd  manages  mail  messages  to  root.  This 
command  causes  mail_recvd  to  assert  a  mail  fact  into  the  database. 

b.  Forming  Start  State  List 

When  the  checkfiles  subroutine  is  done,  the  initial  start_state  list  can  be 
formed  by  collecting  facts  into  small  lists  by  the  utilities  nice_bagof  and  nice  setof, 
written  by  Professor  Rowe,  and  appending  them  together. 

In  addition  to  the  facts  asserted  during  the  execution  of  the  checkfiles 
subroutine,  file,  behavior  and  insecure_password  facts  as  weU  as  the  fact  that  the  backup 
tape  is  stored,  are  appended  to  the  start_state  list.  The  file  facts  are  those  after  the  checkfiles 
subroutine  has  been  executed;  therefore,  any  files  created,  deleted  or  modified  as  a  result 
of  this  subroutine  s  execution  will  be  reflected.  The  behavior  facts  are  determined  by  the 
behavior  rules  for  suspicious  and  blatant  malicious  behavior  in  the  rules  module.  The 
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specifics  of  how  these  behavior  facts  are  determined  will  be  discussed  in  detail  later.  The 
insecure_password  facts  are  given  in  ihQ  files  file. 

2.  Initializing  the  Goal  State 

The  goal  of  the  Intrusion  Detection  Tutoring  System  is  for  the  user  to  identify  any 
suspicious  and  or  malicious  behavior  based  on  a  review  of  the  audit  file  and  mail  received 
by  root  and  to  correct  any  of  this  observed  behavior.  Additionally,  the  user  should  ensure 
that  there  are  no  insecure  passwords,  the  system  backup  tape  is  stored  properly,  and  the 
password  cracker  has  been  executed  at  least  once. 

The  goal  of  the  tutor  as  stated  above  has  to  be  put  into  a  form  the  tutor  can  use.  Like 
the  start_state,  the  goal  is  in  the  form  of  a  list.  The  first  and  main  part  of  the  goal  is  to  not 
have  any  behavior  facts  true;  therefore,  the  goal  contains  a  list  of  behavior  facts  preceded 
by  the  word  “not.”  This  is  accomplished  by  taking  advantage  of  the  subroutines 
suspicious _behavior  and  notjtem.  Suspicious _behavior  yields  a  list  of  behavior  facts; 
notjtem  takes  this  list  and  returns  a  list  of  not(behavior)  facts.  Similarly,  to  obtain  the 
goal  of  no  insecure  passwords,  a  list  of  insecure_password  facts  is  run  through  the 
notjtem  subroutine  yielding  a  list  of  not(insecure_password)  facts.  The  second  part  of 
the  goal  is  easily  satisfied  by  appending: 

[stored(backup,tape),executed(password,cracker)]. 

3.  Output 

There  are  two  main  output  subroutines  used  in  the  main  outer  loop  start  of  the  tutor, 
auditfile  and  mail.  The  auditfide  subroutine  sorts  the  contents  of  the  audit  file  alphabetically 
and  chronologically,  and  outputs  it  at  the  beginning  of  the  tutoring  session.  The  mail 
subroutine  sorts  the  messages  received  by  root  alphabetically  and  prints  them  to  the  screen. 
Both  auditfile  and  mail  use  the  subroutine  fixed Jength_concatenate  from  the  module 
fdetree  to  assist  in  output  formatting. 
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F.  RULES  MODULE 


1.  Behavior  Rules 

The  rules  module  uses  four  and  five-argument  behavior  rules  to  determine 
suspicious  and  or  malicious  behavior  based  on  the  audit  file  facts  in  a  chronologically 
sorted  audit  file.  There  are  nineteen  behavior  rules  that  detect  eleven  different  types  of 
intruder  behavior.  The  behavior  rules  are  only  invoked  at  the  tutor’s  initialization.  They 
address  three  types  of  intruders; 

1.  someone  who  has  guessed  the  root  password 

2.  someone  who  has  guessed  another  user’s  password 

3.  someone  who  is  a  malicious  insider 

An  intruder  is  recognized  by  one  of  five  ways:  1)  they  successfully  executed  the  su 
command  and  they  are  not  root;  2)  they  guessed  another  user’s  password,  and  there  is 
evidence  of  a  concurrent  login  or  they  changed  the  user’s  password;  3)  they  copied  and  or 
edited  the  system  password  file  “passwd”  successfully;  4)  they  successfully  copied  and  or 
edited  a  file  belonging  to  another  user  in  the  other  user’s  account;  and  5)  they  successfully 
edited  a  system  executable  file  located  in  the  “bin”  directory. 

They  find  evidence  for  the  following  types  of  intruder  behavior: 

•an  intruder  maliciously  deleted  a  file 

(Root  receives  a  message  from  a  user  that  one  of  their  files  has  been  deleted,  and 
there  is  evidence  in  the  audit  file  that  someone  else  has  deleted  it  By  “maliciously” 
deleted  what  is  meant  is  that  an  intruder  has  deleted,  in  this  case,  a  file  that  does  not 
belong  to  him.  He  was  able  to  delete  it  by  either  by  becoming  super-user  or  by 
simply  going  to  the  directory  where  the  file  resides  and  deleting  it.  In  the  general 
sense,  anytime  an  object,  either  a  user’s  file  or  password,  is  changed  or  deleted  by 
a  user  who  does  not  own  it,  it  is  considered  “malicious”  behavior.) 

•an  intruder  copied  the  system  password  file 

is  evidence  in  the  audit  file  that  the  password  file  has  been  copied  by  some 

user.) 
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•an  intruder  edited  the  system  password  file 

(There  is  evidence  in  the  audit  file  that  the  password  file  has  been  edited  by  some 
user.) 

•an  intruder  maliciously  changed  user  password 

(Root  receives  a  message  from  a  user  that  their  password  has  been  changed.) 

•an  intruder  inserted  a  Trojan  Horse 

(Root  receives  a  mail  message  that  a  system  executable  file  is  bad,  and  there  is 
evidence  in  the  audit  file  that  it  has  been  modified  by  some  user  by  a  given  amount. 
In  IDTS,  a  Trojan  Horse  is  defined  as  1024  bytes  change  in  an  executable  file.) 

•an  intruder  maliciously  modified  file 

(Root  receives  a  message  from  a  user  that  one  of  their  files  has  been  modified.) 

•a  compromised  root  password  exists 

(A  user  other  than  root  has  successfully  executed  the  su  command  or  there  is  a 
concurrent  login  of  root.) 

•a  compromised  user  password  exists 
(There  is  a  concurrent  login  of  a  user.) 

•a  possible  Trojan  Horse  exists 

(Root  receives  a  mail  message  that  a  system  executable  file  is  bad,  and  there  is 
evidence  in  the  audit  file  that  it  has  been  modified  by  some  user.) 

•a  possible  intruder  exists 

(There  is  evidence  in  the  audit  file  that  a  user  is  repeatedly  trying  to  execute  the  su 
command.) 

•a  possible  compromised  user  password  exists. 

(There  is  evidence  in  the  audit  file  of  a  suspicious  login  by  a  user.) 

Two  important  subroutines  used  by  the  behavior  rules  are  concurrent  login 
and  suspicious.  The  subroutine  concurrent Jogin  is  used  by  the  behavior  rules  to 
determine  if  a  user  is  logged  on  twice.  It  compares  a  user’s  login  and  logout  times  to  see 
if  there  is  a  case  when  there  are  two  login  times  where  no  logout  time  exists  between  them. 
The  suspicious  subroutine  is  used  to  determine  when  a  legitimate  user  or  intruder  has 


repeatedly  failed  executing  a  particular  command.  There  are  three  suspicious  commands 
that  the  behavior  rules  look  at:  logins  and  the  use  of  the  su  command.  If  the  command  fails 
more  than  some  pre-determined  threshold,  then  it  is  considered  suspicious  behavior. 

G.  OPERATORS  MODULE 

This  module  stores  the  predicates  required  by  metutorSO  to  tutor  the  student: 
recommended,  precondition,  addpostcondition,  and  deletepostcondition.  The  possible 
student  actions  and  their  recommending  circumstances  are  stored  in  the  recommended 
predicate.  In  order  to  use  one  of  these  recommended  actions,  the  student  and  tutor  must 
ensure  that  certain  preconditions  are  met.  A  list  of  preconditions  for  each  operator  action 
is  in  the  precondition  predicate.  After  an  operator  action  has  been  selected  by  the  student 
and  executed  by  the  tutor,  any  postconditions  associated  with  the  operator  action  are  placed 
in  the  current  state  of  the  system.  These  postconditions  are  stored  in  the  addpostcondition 
predicate.  The  deletepostcondition  predicate  is  used  to  delete  a  fact  from  the  current  state 
after  the  associated  operator  has  been  applied  to  the  current  state  of  the  system.  In  IDTS, 
the  most  important  actions  are  those  which  remove  the  intruder  behaviors  from  the  states, 
and  move  the  student  closer  to  the  goal. 

The  recommended  operators  in  IDTS  were  developed  from  reviewing  system 
administrator  responsibilities  in  intrusion  detection  in  [Ref  8].  The  following  is  a  list  of 
IDTS  operators  available  to  the  student: 

•restore  the  system  password  file  “passwd”  from  backup 

•change  the  permissions  on  the  “passwd”  file 

•change  the  root  password 

•remove  a  Trojan  Horse  from  a  file 

•compare  a  file  for  a  Trojan  Horse  with  its  backup  version 

•confront  a  user 

•restore  a  user’s  password 

•issue  a  new  user  password 

•examine  a  user’s  password 

•investigate  a  user’s  password 
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•restore  the  modified  file  X  from  backup 
•restore  the  deleted  file  X  from  backup. 

•check  the  permissions  on  a  file 
•execute  the  password  cracker 
•change  the  password  for  a  user 
•find  the  file  X  on  the  backup  tape 
•locate  the  backup  tape 
•load  the  backup  tape 
•store  the  backup  tape. 

A  student  uses  these  operators  to  reach  the  goal  of  no  intruder  behavior  in  the  state. 
For  example,  if  an  intruder  had  maliciously  deleted  a  file  belonging  to  another  user,  the 
tutor  would  recommend  the  “restore  the  deleted  file  X  from  backup.”  operator  to  remove 
the  behavior  fact  “behavior (Intruder, ’maliciously  deleted  file’X:,Timel,Time2)”  from  the 
current  state.  In  order  to  apply  the  “restore”  operator,  the  precondition  “found  the  file  X  on 
the  backup  tape”  must  be  satisfied  which  means  the  student  needs  to  apply  the  “find  the  file 
X  on  the  backup  tape”  operator;  however,  this  also  has  a  precondition  of  “loaded  the  backup 
tape,”  and  so  on.  Figure  5  shows  all  the  steps  to  remove  the  fact 
“behavior(Intruder,’ maliciously  deleted  file’,X,Timel,Time2)”  from  the  state. 


locate  the  backup  tape  load  the  backup  tape  find  the  file  X  on  the  backup  tape  restore  the  deleted  file  X  from  backup 


Figure  5;  Example  of  Using  Operators  to  Remove  Intruder  Behavior 

By  applying  the  appropriate  operators,  the  student  will  ultimately  reach  the  point 
where  all  intruder  behavior  has  been  addressed  and  system  administrator  responsibilities 
are  completed,  like  storing  the  backup  tape  if  it  was  loaded  to  restore  a  file  from  backup. 
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At  this  point,  the  tutor  will  exit  with  congratulating  the  student  on  successfully  finishing 
the  lesson. 
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V.  DISCUSSION  OF  RESULTS 


A.  IDTS  PERFORMANCE 

Four  runs  of  IDTS  were  conducted  with  different  sized  test  audit  files  containing  a 
variety  of  intruder  behaviors.  The  first  run  used  an  input  audit  file  written  by  the  author. 
The  other  runs  used  input  audit  files  generated  by  the  threat  modeling  program  written  by 
LT  Christopher  Roberts  described  in  [Ref.  11].  The  input  audit  files  used  and  scripts  of 
each  run  are  contained  in  Appendix  B.  A  discussion  of  the  results  of  these  runs  follow. 

1.  Run  1 

The  first  run  of  IDTS  used  a  one  hundred  and  seven  audit  fact  test  audit  file.  All 
eleven  different  types  of  intmder  behavior  modeled  in  IDTS  described  in  Chapter  IV  were 
present  in  the  test  audit  and  were  detected.  These  eleven  types  of  behaviors  were  found  in 
twenty  behavior  facts  determined  by  the  IDTS  rules.  The  memory  required  for  this  run 
totalled  4,188,640  bytes,  and  had  a  runtime  of  81.7  seconds. 

2.  Run  2 

The  second  run  of  IDTS  used  a  test  audit  file  consisting  of  one  hundred  and  ninety- 
five  audit  facts.  Upon  execution  of  IDTS,  ten  behavior  facts  were  found,  correctly 
detecting  six  different  types  of  intruder  behavior.  There  was  a  user,  “doe,”  who 
successfully  added  an  executable  file  to  root’s  “bin”  directory.  IDTS  does  not  model  this 
type  of  intruder  behavior;  however,  it  is  something  to  consider  for  IDTS’s  future.  Also, 
removing  any  copies  of  the  system  password  file  “passwd”  could  be  modeled  in  future 
versions  of  IDTS.  The  memory  required  for  this  run  totalled  2,353,632  bytes,  and  had  a 
runtime  of  40.5  seconds. 

3.  Run  3 

The  largest  audit  used  contained  two  hundred  and  nineteen  audit  fact  test  audit  file, 
and  was  generated  with  similar  parameters  as  the  audit  in  run  2.  IDTS  correcdy  identified 
seven  different  types  of  intruder  behavior  from  the  behavior  rules  firing  and  finding 
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fourteen  behavior  facts.  Again,  the  system  password  file  was  copied,  but  the  copies 
remained  in  the  directories  to  where  they  were  copied.  The  memory  required  for  this  run 
totalled  2,484,704  bytes,  and  had  a  runtime  of  40.3  seconds. 

4.  Run  4 

The  fourth  run  of  IDTS  was  performed  on  a  two  hundred  and  ten  audit  facts  input 
file,  and  was  generated  with  similar  parameters  as  the  audit  in  run  2.  Ten  behavior  facts 
were  found  by  the  IDTS  rules,  correctly  identifying  five  different  types  of  intruder 
behavior.  The  memory  required  for  this  run  totalled  2,222,560  bytes,  and  had  a  runtime  of 
26.9  seconds. 

5.  IDTS  Tutoring  Performance 

The  goal  of  the  tutor  is  to  have  the  student  remove  any  intruder  behavior  found  by 
the  IDTS  rules,  execute  the  password  cracker,  remove  any  insecure  user  passwords  that 
result  from  executing  the  password  cracker,  and  ensure  the  backup  tape  is  stored.  For 
example,  in  run  1  all  eleven  types  of  intruder  behavior  were  present  in  the  input  audit  file. 
The  tutor  will  expect  the  student  to  select  the  appropriate  actions  to  remove  these  behaviors. 
In  this  run,  the  student  starts  by  selecting  the  operator  “execute  the  password  cracker.”  It 
finds  that  there  are  only  two  passwords  known  to  be  insecure.  Again  the  tutor  will  expect 
the  student  to  remove  these  behaviors.  By  applying  the  appropriate  action,  “change  the 
password,”  for  each  user  with  an  insecure  password,  the  student  accomplishes  this.  The 
student  in  run  1  systematically  removes  all  behaviors  by  restoring  files,  examining  and 
changing  passwords,  confronting  users,  as  well  as  completing  the  required  system 
administrator  actions,  like  properly  handling  the  backup  tape.  After  all  behaviors  and 
insecure  passwords  are  removed,  the  password  cracker  is  executed,  and  the  backup  tape  is 
stored,  the  tutor  congratulates  the  student  for  having  done  the  job. 

In  all  runs,  the  tutor  correctly  tutored  the  student,  and  the  student  was  able  to 
remove  all  behaviors  detected  by  the  IDTS  rules  and  complete  all  required  system 
administrator  duties  like  executing  the  password  cracker. 
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B.  HARDWARE  AND  SOFTWARE  REQUIREMENTS 

The  source  code  for  IDTS  requires  38,561  bytes.  Including  an  average-sized  input 
audit  file  (100  audit  facts)  and  the  initial  system  files  file,  this  size  increase  to 
approximately  49,500  bytes.  Since  it  is  written  in  Quintus  Prolog,  a  Prolog  compiler  is 
necessary  to  run  this  application,  which  increases  the  space  requirements.  IDTS  can  run 
without  the  graphical  user  interface  provided  by  the  programs  megraphSO  and  filetree  to 
reduce  space  requirements  of  the  windowing  environment  of  XWindows. 
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VI.  CONCLUSIONS  AND  FUTURE  RESEARCH  DIRECTIONS 


Intrusion  detection  is  a  very  big  problem,  and  will  more  than  likely  be  a  problem  in 
the  future.  There  are  too  many  variables  involved  with  determining  if  a  system  has  come 
under  an  attack  by  an  intruder.  Although  there  are  automated  intrusion  detection  systems 
available,  they  do  not  always  detect  intruder  behavior  and  are  susceptible  to  false  negatives 
and  false  positives.  The  final  burden  to  find  the  intruder  ultimately  falls  upon  the  system 
administrator.  The  system  administrator  should  then  understand  how  to  analyze  audit  trail 
information.  The  IDTS  is  a  tool  which  can  assist  the  system  administrator  in  learning  how 
to  analyze  an  audit  trail  and  detect  an  intruder  based  on  this  analysis. 

A.  PROGRAM  CONTRIBUTIONS 

To  date,  IDTS  is  the  first  intelligent  tutoring  system  focused  on  intrusion  detection. 
It  has  nineteen  behavior  rules  that  capably  and  correctly  detect  eleven  different  types  of 
intruder  behavior,  as  demonstrated  by  the  test  runs  in  Appendix  B.  IDTS  is  flexible  and 
has  the  ability  to  tutor  a  student  in  different  scenarios  by  means  of  using  multiple  audit  files. 

B.  PROGRAM  WEAKNESSES 

The  behavior  rules  that  are  part  of  IDTS  have  been  tested  on  only  a  few  sample  audit 
files,  and  require  a  more  thorough  testing.  They  detect  behavior  that  has  been  written  to 
match  them.  For  example,  the  rules  did  not  detect  the  user  “doe”  from  run  2  who  planted 
an  executable  file  (possible  virus)  in  the  “bin”  directory.  This  is  definitely  a  rule  which 
should  be  included  in  future  versions  of  IDTS.  IDTS  also  does  not  have  any  statistical 
anomaly  detection  capability.  This  is  a  difficult  obstacle  for  IDTS  to  overcome,  since  it 
concerns  itself  exclusively  with  logical  reasoning  and  it  is  built  on  a  virtual  environment. 
Anomaly  detection  could  perhaps  be  simulated,  but  requires  considerable  overhead 
required  to  maintain  and  train  profiles.  Finally,  IDTS  is  not  system  independent;  the  rules 
are  written  for  UNIX  systems. 


31 


C.  FUTURE  RESEARCH  DIRECTIONS  FOR  IDTS 

The  best  way  to  improve  IDTS  would  be  to  make  it  a  more  generic  intrusion- 
detection  tutoring  system.  This  would  mean  it  would  have  to  be  system  independent.  A 
possible  solution  would  be  to  incorporate  NIDES  detection  rules  into  IDTS  to  find  the 
intruders.  Then  the  other  parts  of  IDTS  along  with  the  metutorSO  module  would  tutor  the 
student  based  on  the  intruder  behavior  detected  by  NIDES.  Also,  by  using  NIDES  the 
problem  of  IDTS  lacking  anomalous  detection  capability  would  be  solved. 

Additionally,  more  rules  and  operators  should  be  added  to  make  IDTS  more 
comprehensive.  Rules  to  detect  numerous  file  “permission  denied”  errors  and  numerous 
cd  command  executions  could  be  modeled.  Also,  rules  as  well  as  operators  dealing  with 
intruders  who  penetrate  systems  via  modem  or  rlogins  could  and  should  be  incorporated  in 
IDTS.  More  operators  on  networking  and  system  administrator  responsibilities  should  be 
added  too.  For  example,  operators  like  terminating  network  connections  and  closing 
firewalls  when  an  intruder  is  suspected  could  be  added.  As  for  system  administrator 
responsibilities,  operators  such  as  removing  copies  of  the  system  password  file,  checking 
for  dormant  accounts,  killing  processes,  disabling  accounts,  and  informing  the  authorities 
can  only  enhance  IDTS  and  make  the  student  a  well-rounded  system  administrator. 
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APPENDIX  A:  IDTS  SOURCE  MODULES 


This  appendix  contains  the  source  code  for  IDTS. 


Tab  1.  IDTS  Main  Module  —  Intruder 

Tab  2  IDTS  Rules  Module 

Tab  3.  IDTS  Operators  Module 

Tab  4.  IDTS  Files  Module 

Tab  5.  IDTS  Sample  Auditfile  Module 
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TAB  1.  IDTS  MAIN  MODULE  -  INTRUDER 


/*************  ************±*****ititii**ititit**intititii**itit****i,i,i,^^itititit**i,itit^i,*ii^ 

/*  Intrusion-Detection  Tutoring  System  Progreun  (IDTS) 

/*  LT  Sandra  J.  Schiavo,  U.S,  Navy,  Naval  Postgraduate  School,  Monterey  CA 

/*  IDTS  Main  Interface  —  Version  1 
/* 

To  run  IDTS,  load  *this*  module  and  query; 


/* 

/* 

/* 

/* 

/* 

/* 

/* 

/* 

/*  The  main  interface  module  initializes  IDTS  by  passing  and  passes  the 
/*  state  and  goal  to  the  metutor30  module, 

/***********  *********ii±******-k****i,ii  It 


:  -  start , 

NOTE;  To  run  IDTS  with  an  XWindows  graphical  user  interface  query: 
; -  wins tart . 


********  ^ 
*/ 

93940  */ 

r*******  ^ 

*/ 

♦/ 

*/ 

*/ 

*/ 

*/ 

*/ 

*/ 

*/ 

*/ 

Start  ♦/ 
*******  / 


; -ensure_loaded(metutor30) ,as8erta (writelist_prednum(l) ) , 
ensure_loaded( audit file) , 
ensure_loaded(filetree) , 
ensuro_loaded (rules) , 
ensure_loaded (files ) , 
ensure_loaded ( operators ) . 


^***** 


/♦  The  singular  predicate  is  used 

/****************««*««««^^^^^^^^^^ 


to  help  with  verb  tense  of  the  output  * 


/ 

/ 

/ 


singular (behavior (A, B, C,D) ) . 
singular (behavior (A, B,C,D,E) ) . 
singular (adams ) , 
singular  (evems )  , 
singular (j ones) . 
singular (davis) . 


r 

/* 

/* 

/* 

/* 

/* 

/* 

/* 

/* 

/* 

/* 

/* 


These  predicates  are  hidden  from  the  user.  They  are  used  by  the  tutor. 


behavior /4 
behavior/ 5 
file/7 

deleted_dir/7 
deleted_f ile/7 
modif ied_f ile/7 
ins ecure^pas sword/ 1 


******  y 
*/ 
*/ 
*/ 
*/ 
*/ 
*/ 
*/ 
*/ 
*/ 
*/ 
**/ 


hidden (behavior (A, B, C,D) ) . 
hidden (behavior (A, B,C,D,B) ) , 

hidden (file (Name, Owner, Parent, Type, Size, Protect ion, Modified) ) . 
hidden ( delete d_dir (Name, Owner, Parent , Type, Size, Protection,Modified) ) . 
hidden (deleted_file( Name, Owner, Parent, Type, Size, Protection, Modified) ) . 

hidden (modif ied_file (Name , Owner , Parent , Type , Size , Protect ion, Modif ied) ) . 
hidden ( ins e cur e_pas sword (User) ) . 


/ 


/ 
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/*  tJBGrcoinmand  allows  for  its  argument  to  be  used  an  appropriate  action  for  the  */ 
/*  student.  */ 

/•********♦•♦*********♦*♦***•*******♦**»♦<»**»***♦******»****♦*************♦***»*** y 

us  ercoiiimand(  audit  file) . 
usercoxnmand(mail}  . 


intro ( ' 


*  To  see  a  list  of  possible  actions/  type  the  letter  "h*^  or  the  word  * 

*  "help."  To  review  the  audit  file  or  your  mail  at  anytime,  type  the  * 

*  word  "audit file"  or  "mail"  respectively.  * 

*  * 
***************************«*************************«*«««««**««««*««««, 


). 


winstart:-  assertaCgraphicsflag) /auditfile, checkfiles,mail/go. 
start: -  audit file,checkf lies, mail /go. 


. . *.***.**.***..********.**.**.*****/ 

/*  The  start  state  and  goal  passed  to  the  metutor30  module  to  tutor  student.  */ 


start_state (Start ) :- 

nice^bagof (file(A,B,C,D,B,F,G) /file{A,B,C,D/B,F,G) /Files) , 

mail_received(Mail) , 

append (Files /Mail, LI) , 

file8_deleted(Fl) , 

append ( LI , Fl , L2 ) , 

dirs_deleted(Dirs) , 

append ( L2 , Dirs , L3 ) , 

rm_files_deleted(RFl) , 

append ( L3 , RFl , L4 )  , 

f ilGS_modif ied(F2 ) , 

append ( L4 , F2 , L5 ) , 

su8piciou8_bGhavior (Behavior) , 

append ( L5 , Behavior , L6 ) , 

insecure (Passwords ) , 

append ( L6 , Pas  swords , L7 ) , 

append (L7, [stored (backup, tape) ] , St art) , f ile_display_init (Start) . 

goal(Goal)  8U8piciou8__behavior (Behavior )  , 
insecure (Passwords) , 
not^item (Behavior, Not List 1) , 
not_item( Pas swords, NotLi8t2) , 
append (Not List 1 , Not Lis t2 , NotList ) , 

append (Not List, [stored (backup, tape) , executed (password, cracker ) ] ,Goal) . 


. . . . . 

/•  IDTS  initializing  routine:  checkfiles  »/ 

. . 


checkfiles:-  not ( checkedf iles ) . 
checkedf lies : - 

audit (User, Time, Path, Command, Result) , 
(f ile_dele ted (Command, Fl) ; 
dir_deleted( Command, Dir) ; 
rm_e tar  (Command,  Path) ; 
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f ile_modif ied ( Time , Path, Command, Result , F2 ) ; 
new_f ile (User, Time , Path, Command, Result ) ; 
copied_file (User, Time, Path, Command, Re suit ) ; 
mail_recvd (User, Time, Command, Result) ) ,fail. 


/**********-^********^*******'k**^^*1t1ti,.it1,lHtlt‘t*1t**1titimit*1fk±***itiHt1t* 

/*  Checkfiles  subroutines 

/****************************^-^^iticiiiHiit±^^itiHt^m,iiit*it1t*iHt*1t*iHtit1tiHt 


* 


/ 

/ 

/ 


files_deleted (Files) 

nice_setof (deleted_f ile (F, Parent, Owner, Type, Size, Protection, Modified) , 
deleted_file(F, Parent, Owner, Type, Size, Protection, Modified) , Files) . 


f ile_dele ted (Command, File) 

make_list (Command, Erm,File] ) , 

file ( File , Parent , Owner, Type , Size , Protection, Modified) , 

(Typ®=t ext ;Type=execut able) , 

asserta{deleted_file (File, Parent, Oimer, Type, Size, Protection,Modif ied) ) , 
retract (file (Pile, Parent, Owner, Type, Size, Protection, Modified) ) . 


dirs_deleted(Dirs) :~ 

nice_setof (deloted_dir (Dir, Parent, Owner, Type, Size, Protection, Modified) , 
deleted_dir (Dir, Parent, Owner, Type, Size, Protection, Modified) ,Dirs) . 
dir_dele ted  (Command, Dir)  j- 

make_list (Command, [rmdir,Dir3 )  / 

file (Dir , Parent , Owner, Type , Size, Protection, Modified) , 

Type=directory, 

asserta (deleted_dir (Dir, Parent , Owner , Type , Size , Protection, Modified) ) , 

retract (file (Dir, Parent, Owner, Type, Size, Protection,Modified) ) . 


rm_files_deleted (Files) s- 

nice_setof (deleted_f ile (F, Parent, Owner,  ^Vpe, Size, Protection, Modified) , 
deleted_file (F, Parent, Owner, Type, Size, Protection, Modified) , Files) . 

rm_8tar( Command, Path) 

niake_list  (Command,  [rm,  *]  )  , 

file (File , Path, Owner, Type, Size , Protection, Modified) , 

(Type=text; Type =execut able) , 

asserta (deleted_f ile (File , Path, Owner, Type, Size, Protection, Modified) ) , 
retract (file (File, Path, Owner, Type, Size, Protection, Modified) ) . 

files_modif ied (Files) i- 

nice_setof(niodified_filo  (File, Parent, Owner, Type, size, Protection, Modified) , 
niodified_f ile  (File, Parent, Owner, Type, Size, Protection, Modified) , Files)  . 
®o^ifi®d( Time, Parent , Command, Result, File) : - 
make_list (Command, temacs,File3 ) , 

file (File,Parent, Owner, Type, Size, Protection, Modified) , 

( Type  =:t ext ;Type=execut able)  , 

not  ( modi fied_f ile  (File,  Parent, Owner, )  , 

asserta (modif ied_f ile (File , Parent, Owner ,  Oype, Size, Protect ion, Modified) ) , 
retract (file (File , Parent , Owner , Type, Size, Protection, Modified) ) , 
asserta (file (File, Parent, Owner,  Type, Result , Protection, Time) ) . 

file_modif ied (Time, Parent, Command, Result, File) : - 
(Command,  [emacs,File]  )  , 

file (File , Parent , Owner,  Type , Size , Protection, Modified) , 

(Type=text ;  Type =exe cut  2d3le)  , 

retract (file (File,Parent, Owner, Type, Size, Protect ion, Modified) ) , 
asserta (file (File, Parent, Owner,  Type, Result, Protection, Time) ) . 
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iiew_f  ile  (User,Time,Parent,  Command, Result)  ;  - 
make_li8t (Command, [emac8,File] ) , 

not (file (Pile, Parent, ) ,not (Parent=bin) , 

assorta (file (File, Parent, User, text, Result, ' -rw-r— r-- ' ,Time) ) . 

new_f ile (User, Time, Parent, Command, Re suit) : - 
niake^list  (Command,  [emac8,File] )  , 
not (file (File, Parent, ) , (Parent^bin) , 

as8erta(file (File, Parent, User, executable, Result, '-rw-r — r — ' ,Time) ) . 

copied_f ile (User , Time, Parent , Command, Result ) : - 
make^list  (Commcmd,  t cp, File,  Path] ) , 

(different_ac count (User, Time, Parent, Command, Result, File, Path) ; 
aame_account  (User, Time,  Parent, Command, Result, File, Path) )  . 

dif  f er ent_account ( User , Time , Parent , Comnumd, Result , File , Path ) t - 
make_path_list (Path, [XlList] ) , 
tilde_word  (X,  Owner ) , 

file (File, Parent ,_,  Size , Protection, Modified) , 

( Type = text; Type =exe cut able) , 

not  (file  (File, Owner, Owner, ) , 

as serta( file (File, Owner, Owner, Type, Size, Protect ion, Modified) ) . 

same_accoiant  ( User, Time, Parent, Command, Result , File, Path)  x  - 
“^«-P<^th_list  (Path, List)  , 
last  (List, NewFile)  ,next_to_la8t  (List , Dir) , 
file (File , Parent , User , Type , Size, Protection, Modified) , 

(Type=text  ;Type=executzJ3le) , 
not  (file  (File, Dir, User, ) , 

asserta(file(File, Dir, User, Type, Size, Protection, Modified) ) . 

aail_recvd(U8er, Time, Command, Result)  :  - 
make^list (Command, [mail, root] ) , 
as sert a (mail (User, root, Time, Re suit ) ) . 

8uspicious_behavior (Behavior ) 

nice^setof (behavior (User, Crime, Timel, Timo2 )  , 

Crime*Timel*Time2^behavior (User, Crime, Timel,Time2) ,B1) , 
liice^setof  (behavior  (User, Crime, File, Timel, Time2)  , 

Crime ^Pile^Timel^Time2 ^behavior (User, Crime, File, Timel, Time2) ,B2) , 
append ( B1 , B2 , B3 ) , 
remove_behavior (B3 , Behavior ) . 

remove_behavior (List, Answer) : - 

member (behavior (User, Crime, T1,T2) ,Li8t) , 
member (behavior (Userl, Crime, T5,T6) ,Li8t) , 

(not (User=Userl) ;not (T1=T5) ;not (T2=T6) ) , ! , 
delete (behavior (Userl, Crime, T5,T6) ,List,NewList) , 
remove_behavior (NewList , Answer ) . 

remove_behavior (List, Answer) : - 

member (behavior (User, Crime, Object, T1,T2) ,List) , 
member (behavior ( Userl , Crime , Ob j  ect , T5 , T6 ) , List ) , 

(not (UsersUserl) ;not (Tl=T5) ;not {T2=T6) ) , ! , 

delete (behavior (Userl , Crime , Ob j  ect , T5 , T6 ) , List , NewList ) , 

remove_behavior (NewList , Answer) . 

remove_behavior  (List ,  List )  . 

insecure (Passwords) 

bagof (in8ecure_pas sword (User) , ins ecure^pas sword (User) , Passwords ) . 
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inail_received(Mail)  :  - 

ixice_fletof  (mail  (User,  root ,  Time, Result)  , 
Time-^Result^maiK User, root, Time, Result)  ,Mail)  . 


/**********»»**************^***^***^^*^**,^^^^^ 

/*  Utility  routines 


*/ 

*/ 

*/ 


not_item(List,NotList )  not_iteml (List,  [],NotLi8t)  . 
not_iteml( [], List, List) . 

^ot_iteml ( [AlList] , It emList, Answer) j-  . [not, A] , 
not_iteml(List, [F 1 ItemList] , Answer) . 

next_to_last (List,X) : - 
append (_, [X,Y] ,List) , 1 . 


/*  Output  routines:  auditfile  and  mail 


auditfile: - 
write  ( ' 


AUDIT  FILE 


The  following  displays  the  current  contents  of  the  audit  file: 


)  /Ul, 


write ( ' 

Name  Time  Path  Command  Result ') /nl, nl, 

view_audit , nl . 

view_audit : -  not (reviewed_audit ) . 
reviewed_audit : - 

bagof (audit (User , Time, Path, Command, Result) , 
audit (User, Time, Path, Command, Re suit) ,List) , 
sort (List, sorted) /member (audit (User, Time, Path, Command, Result ), Sorted) , 
fixed_length_concatenate ( User, Time, 15, Stringl) , 
write (stringl) , write ( '  '), 

fixed_length_concatenate (Path, Command, 25, String2) , 
write (String2) , write ( '  '), 

write (Result ) , nl , f ail . 


mail : - 

write ( ' 

********♦*****<>*********♦11 


MAIL  RECEIVED 

* 

*  The  following  displays  mail  received  by  root: 

* 

' )  /  Hi/ 


write ( ' 

Prom  To  Time 

nl ,  nl ,  read_inail ,  nl . 


Problem (File, Directory) ' ) , 
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read_mail : -  not (read) . 
read:  *- 

bagof (mail (User, root /Time, Problem) , 
mail (User, root, Time, Problem) ,Li8t) , 
sort (List, Sorted) , member (mail (User, root, Time, Problem) , Sorted) , 
mail (User, root, Time, Problem) , 

f ixed_length_concatenate (User, 'root ' ,15,Stringl) , 
write ( Stringl ), write ( '  '), 

fixed_length_concatenate (Time, ' ' , 6,String2) , 
write (String2) , write ( '  ')/ 

write ( Problem) , nl , fail . 
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TAB  2.  IDTS  RULES  MODULE 


/*  Intrusion-Detection  Tutoring  System  (IDTS)  * 

/*  LT  Sandra  J.  Schiavo,  U.S.  Navy,  Naval  Postgraduate  School,  Monterey  CA  93940  * 

i*  IDTS  Rules  Module  * 


/^  This  module  contains  the  behavior  rules  which  detect  suspicious  and  * 
/*  mailicious  behavior  present  in  the  auditfile,  and  the  various  subroutines  * 
/*  used  in  them.  ^ 

/*************»****»**********^**^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 


/ 

/ 

/ 

/ 

/ 

/ 

/ 

/ 

/ 

/ 


Behavior  Rules 


/ 

/ 

/ 


behavior (Intruder, 'maliciously  deleted  file', File,  Tl,  Tl)  :- 
audit ( Intruder , PI , Timel , Cl , ok) , 
make_list (Cl, tcd,X] ) , 
tilde_word(X,User)  , 
audit (Intruder, Tl, Dir, C2, ok) , 
inake_list(C2,  Crm,File]  )  , 
not (audit (User, Time, Dir, C2, ok) ) , 

deleted_file(File,Dir,Owuer, Type, Size, Protection, Modified) . 


behavior (Intruder, 'maliciously  deleted  file', File,  Tl,  Tl)  :- 
audit (Intruder,_,Timel,Cl,ok) , 
make^list (Cl, [cd,X] ) , 
tilde_word(X,U8er) , 
audit ( Intruder , Tl , Dir , C2 , ok ) , 
make_list ( C2 , [rm,  * ] )  , 
not (audit (User, Time, Dir, C2, ok) ) , 

deleted_file (File, Dir, Owner, Type , Size, Protect ion, Modified) . 


/* 

/* 

/• 

/* 

/* 


System  Administrator  receives  mail  from  a  User  saying  a  File  was 

deleted  by  someone  else. Case  where  malicious  user  cd's 
over  to  person's  account. 


behavior (Intruder, 'maliciously  deleted  file', File,  Tl,  T2) 
audit (User , T2 , P, 'mail  root ' , Message ) , 

Me88age=. . [bad, File, Dir] , 

audit (Intruder, PI, Timel, Cl, ok) , 

make_list (Cl, [cd,X] ) , 

tilde_word(X,U8er) , 

audit ( Intruder , Tl , Dir , C2 , ok ) , 

inake_li8t(C2,  [rm,File]  )  , 

not (audit (User, Time, Path, C2, ok) ) . 


*/ 

*/ 

*/ 

*/ 

*/ 


/*  System  Administrator  receives  mail  from  User  saying  Piles  were 
/•  maliciously  deleted  by  someone  else. Case  where  malicious  user  cd'i 
/*  over  to  person's  account  emd  uses  "rm  *"  to  delete  all  files  in  a 
/*  directory  (Dir) . 
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/**********  **********»****************************************************^******y 

behavior (Intruder, 'maliciously  deleted  file' , Pile,  Tl,  T2)  i- 
audit (User,T2,_, 'mail  root ', Mess age) , 

Messages. . [bad, Dir] , 
audit  (Int ruder, _, Time  1, Cl, ok)  , 

BMdce^list  (Cl,  [cd,X]  ) , 

tilde_word(X,D8er) , 

audit (Int ruder, Tl, Dir, C2, ok) , 

medce^list  (C2,  [rm,  *] ) , 

not  (audit  (User, Time, Dir, C2 , ok)  ) , 

T1<T2, 

deleted_file(File,Dir, Owner, Type, Size, Protection, Modified) . 


/ 

/ 

/ 

/ 


System  Administrator  examines  audit  file  and  sees  that  the  password  file  */ 

has  been  copied  or  edited  by  some  user (Intruder) .  */ 


behavior (Intruder, 'copied  password  file',  Tl,  Tl) 
audit  (U8er,Tl,etc,Comnumd,ok) , 
make_list  (Command,  [cp,passwd,Xl )  / 
make__path_list  (X,  [YlList] )  , 
tilde_word{y, Intruder) . 

behavior (Intruder, 'copied  password  file',  Tl,  Tl) 
audit (Intruder, Tl, etc, Command, ok) , 
make_list (Command, [cp,passwd|Li8t] ) . 

behavior (Intruder, 'edited  password  file',  Tl,  Tl)  x- 
audit (Intruder, Tl, etc, Command, Number) , 
niake^list  (Command,  [emac8,pa8swd] )  . 


/♦  System  Administrator  examines  audit  file  imd  sees  a  suspicious  login  and  */ 

/*  possible  compromise  of  some  user (User) 's  password.  */ 


behavior (User, 'possible  conpromised  user  password' , User, Tl,  T2) 
suspicious (login, User, Time, Tl) , 
audit (User , T2 , Path, Command, ok) , 
xnake^list  (Command,  [login, User] )  , 
time_difference (T1,T2) . 


/*  System  Administrator  examines  audit  file  and  sees  two  users  logged  on  at  */ 
/*  the  same  time  with  the  same  user  neune.  •/ 
. . 

behavior (User, 'compromised  user  password' , User, Tl,  T2)  x- 
concurrent_login(U8er,Tl,T2) . 


/**************************************************^^.***^^*^^^^.^^^^^^^ 

/*  System  Administrator  receives  mail  from  U8er(X)  saying  that  he  cannot 
/*  login  due  to  his  password  being  changed. 

/* 

/*  Case  1:  Intruder  becomes  root  and  changes  user  password. 


*/ 

*/ 

*/ 

*/ 

*/ 
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Case  2:  Intruder  masquerades  as  user  and  changes  password. 


/*  Case  1  */ 

behavior (Intruder, 'maliciously  changed  user  password' , User, Tl,  T2) 
(User ,  T2 ,  Path,  'mail  root ' , Message )  , 

Messages. . [bad, password, User] , 
not (audit (User, _,_,yppa8swd, ok) ) , 
audit (Intruder, Cl, ok) , 
mako_list (Cl, Icd,X] ) , 
tilde_word(X,U8er)  , 
audit (Intruder, Tl, User, yppasswd, ok) . 

/*  Case  2  */ 


behavior (User, 'maliciously  chzmged  user  password' , User, Tl,  T2)  :~ 
audit (User,T2,P, 'mail  root ', Message) , 

Messages. . [bad, password, User] , 
audit (User, Time, Pat hi, Command, ok) , 

®3Jc®_list  (Command,  [login, User] ) , 

Time<T2 , 

audit (User, Tl,Path2, yppasswd, ok) , 

Tl>Time , T1<T2 . 


/*  Intruder  has  cracked  the  root  password 
/*  be  root  and  must  login  as  root. 


Assumes  only  one  person  can 


behavior (Intruder, 'compromised  root  password',  Tl,  Tl) 
audit (Intruder, Tl, Path, su, ok) , 
not (Intruder  =  root). 


behavior (root, 'compromised  root  password',  Tl,  T2) 
concurrent_login ( root , Tl , T2 ) . 


/*  System  Administrator  receives  mail  from  u8er(X)  saying  that  strange  */ 

^  "things"  happen  when  he  runs  an  executeeible .  Case  when  a  system  executable  */ 
/*  has  been  modified. 


behavior (Intruder, 'possible  Trojan  Horse',  File,Tl,  Tl) 
audit (Intruder, Tl, bin, C2, Size) , 
make_list (C2, [emacs , File] ) , 

modif ied_f ile (File, bin, root, executable ,_,_, _) , 


/*  System  Administrator  examines  audit  file  and  finds  that  user(X)  has 
/*  successfully  modified  an  executeable  File  by  X  amount.  X  in  this  case  is 
/*  1024. 


behavior (Intruder ,' inserted  Trojan  Horse', File,  Tl,  T2) 
(__r  T2 , Path,  'mail  root ' , Message )  , 

Message=. . [bad, File, Dir ] , 
audit ( Intruder , Tl , Dir , C2 , Size ) , 
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maJce_list  (C2 ,  [emacs,File]  ) 
T1<T2, 

change_in_file (File, 1024) . 


ch2mge_in_file (File, Size) 

file (File, Dir , root , executable, Si2e2 , Protection, Modified2 ) , 

modif ied_f ile (File, Dir, root, executable, Sizel, Protection, Modifiedl) , 

Ch2mge  is  Size2  -  Sizel,  Change  =  Size. 


/****************1fti1t*1iitiHHtiHHt1t1t^1t**-t1Htitit1t**1t1t***it**it*it1t***±1k1t***it*ii**it*1t1t1t***it^ 

/*  System  Administrator  receives  mail  from  user{X)  saying  that  some  of  */ 

/*  his  files  have  been  maliciously  modified.  Case  when  malicious  user  */ 

f*  gains  access  to  U8er(X) 's  account  by  insecure  password.  */ 

/**•*♦***♦»♦*****»**»********♦»*•*♦****♦♦*****♦**»********#*♦********♦******** y 

behavior (User, 'maliciously  modified  file' , File/ Tl,  T2)  x~ 
audit (User,T2,P, 'mail  root' , Message) , 

Messages. . [bad, File, Dir] , 
suspicious (login, User, Timel,Time2) , 
audit (User,Tl,Dir,C2, Size) , 
mahe.list (C2, [emac8,File] ) , 

T1<T2 . 


/*  System  Administrator  receives  mail  from  U8er(X)  saying  that  some  of  */ 
i*  his  files  have  been  maliciously  modified.  Case  where  malicious  u8er(Y)  */ 
/*  cd's  to  user(X) 's  directory  and  modifies  file  directly.  */ 


behavior (Intruder, 'maliciously  modified  file' , File, Tl,  T2) 
audit (User,T2 , P, 'mail  root ' , Message) , 

Messages. . [bad, File, Dir] , 
audit (Intruder, Timel, PI, Cl, ok) , 
make^list (Cl, Ccd,X] ) , 
tilde_word(X,Uaer) , 
audit (Intruder, Tl, Dir, C2, Size) , 
make_li8t (C2, [emacs,File] ) , 

T1<T2 , Timel<T2 . 

behavior (Intruder, 'maliciously  modified  f ile ' ,Pilo,Tl,  T2) 
audit (User,T2 ,P, 'mail  root ' , Message) , 

Messages. . [bad, File, Dir] , 

audit (Intruder, Timel, PI, Cl, ok) , 
meOce_liBt  (Cl,  Ccd,Dir]  )  , 
audit (Intruder, Tl, Dir, C2, Size) , 
make^list (C2, [emac8,File] ) , 

T1<T2 . 


/*  Possible  intruder  on  system  due  to  multiple  failed  "su*^  commands.  ♦/ 


behavior (User, 'possible  intruder Tl,  T2) 

suspicious ( 'use  of  su  command' , User, Tl, T2 ) . 


. . . . . . . . . . . . , 

/*  Suspicious  predicates  */ 
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/**********************-k*****^****±***^-^-^.$fk*it****itlt***it1t*****it±***itltitit**ifk**1e^ 

suspicious (login, User, T1,T2)  :- 

repeat ed_failure (User , Command, Number, Times ) , 
make^list (Command, [login, User] ) , 

(Number  >=  3 ) , 

close^times (Times, [XlList]), 
get_times(X,Tl,T2)  . 

suspicious ( 'use  of  su  command' , User, Tl, T2 ) 
repeat ed_fai lure (User, 8U,Number, Times ) , 
not (U8er=root) , 

(Number  >=  3)  , 
get_times  ( Times ,  Tl ,  T2 )  . 


repeat ed_fai lure (User, Command, Number, Failuresl)  : - 

bagof  (Time,  Path'^audit  (User,  Time,  Path, Command,  fail)  , Failures ) , 
length (Failures, Number) , sort (Failures, Failuresl) . 


Time  Related  Subroutines  */ 


concurrent_login(User, Time 1,  Time 2 )  : - 
logins (User, Logins) , 
logouts (User, Logouts) , 

concurrency ( Logins , Logout  s , Timel , Time 2 ) . 
logins (User, Logins) 

nice_bagof (Time, check (login, User, Time) ,L) , 
sort (L, Logins) . 
logouts  (User,  Logouts ) 

nice_bagof (Time, check (logout, User, Time) ,L) , 
sort (L, Logouts) , 

check ( login, User , Time ) : -  audit (User, Time , Path, Command, ok) , 
mako^list (Comm2md, [login, User] ) . 


check (logout, User, Time) audit (User, Time, Path, Command, ok) , 
inake_li8t  (Command,  [logout] )  . 


concurrency ( [X,Y] , [] ,Y, 100000) . 
concurrency ( [X] ,Li8t,X, 100000) i-  fail, ! . 

concurrency ( [X,YlLi8tl], [2 lList2],Y,Z) 2  >  Y. 

concurrency ( [X,Y|Listl] , [2 |Li8t2] , Y, 2) ; - 
append ( [Y] ,Listl,NewList) , 

concurrency (NewList, Lis t2,Y, 2) . 

concurrency ([] , [], Number, 100000) : -  fail,!. 

close^times  (  [X,  Y,  2  I  List]  ,An8)  :  -  coii5>are_time8  (  [X,  Y,  2] )  , 
clo8e_timesl(List,Y,Z, [ [X, Y, 2] ] , Ans ) . 
close_times( [X,Y,2|Li8t] ,Ans) j-  close^timesl (List , Y, 2, [] ,An8) , 
closo_time8l ( [ ] , Y, 2 , List , List ) . 

close^timesl  (  [2  |  List]  ,X,  Y,Newlist ,  Ans )  :  -  conqpare^times  (  [X,  Y,  2]  )  , 
clo8e_timesl(Li8t,Y,2,  ([X,Y,2]  iNewlist ]  ,An8 )  . 
close_timesl(  [ZiList]  ,X, Y,Newli8t,Ans) 
close_time8l ( List , Y, 2 , Newlist , Ans ) . 
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coinpare_times  (  IT1,T2  ,T3  ] )  *  -  T2-T1<3 ,  T3-T2<3  . 


time_dif ference (T1,T2) : -  (T1  -  T2)<  5. 

get_logout (User , Logout) ; - 

not (audit (User, Time, Path, logout, ok) ) , 
Logout  is  100000. 

get_logout (User, Logout) : - 

audit (User, Time, Path, logout , ok) , 
Logout  is  Time. 


. . . . . . . . . . 

f*  List  Subroutines  &  Other  Utilities  */ 


make_li8t (String, List) s-  name (String, Ll) , append (X, [32|Y],L1), 
name (stringl,X) , 
niake_li8tl  (y,  Istringl]  ,Li8t)  ,  1  . 

make_li8t (String, List) name (String, Ll) , append (X, IZ|Y] ,L1) ,not (Z=32) , 
Lists [String] , ! . 

make_li8tl(List,NewLi8t,An8) !-  append (X, [32 lY] , List) , 
name (Stringl,X) , 

append (NewList, [Stringl] ,NewLi8tl) , 
make_listl (y,NewLi8tl,Ans) , 1 . 

make_li8tl(List,NewLi8t,Ans) append(X, [ZIY] ,List) ,not (Z=32) , 
name (Stringl, List) , 
append (NewList, [Stringl] ,An8) , ! , 

make_path_li8t (String, List ) j-  name (String, Ll) , append (X, [47 |Y] ,L1) , 
name (Stringl,X) , 

make_path_listl(Y, [Stringl] ,List) , * . 

make_path_li8t (String, List) name (String, Ll) , append (X, [ZlY] ,L1) ,not (Z=47) , 
Lists [String] , ! , 

make_path_listl(Li8t,NewList,Ans) append (X, [47 | Y] , List ) , 
name (Stringl, X) , 

append (NewList, (Stringl] ,NewListl) , 
nwdce_path_li8tl  (y,NewLi8tl,An8)  ,  !  . 
make_path_listl( List, NewList, Ana) x-  append(X, [ZIY] , List) ,not (Z=47) , 
name ( Stringl , List ) , 
append (NewList, [Stringl] ,Ans) ,  ! . 


tilde_word (Dir, Username)  x- 
name  (Dir,  L)  , 
first (L, 126) , 
append ( [X]  ,List,L)  , 
n2mie(U8emeune,Li8t)  . 


get_time8(Li8t,Tl,T2) first (List ,T1) , last (List, T2 ) . 
first ( [First  I  List], First) . 
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TAB  3.  IDTS  OPERATORS  MODULE 


I*  Intrusion-Detection  Tutoring  System  Program  —  Version  1  (IDTS)  •/ 

/•  LT  Sandra  J.  Schiavo,  U.S.  Navy,  Naval  Postgraduate  School,  Monterey  CA  93940  •/ 

/*  IDTS  Operators  Module 

/*  ^ 

*/ 

/*  This  module  contains  the  four  predicates  required  by  the  metutorSO  module  */ 
/*  to  tutor  the  student: 

/  *  recommended , 

/*  precondition, 

postcondition, 
deletepostcondition. 


Recommended  Facts  * 


recommended ( [not (behavior (A, 'edited  password  file',Tl,T2) ) ] , 

[behavior (A, 'edited  password  f ile ' , Tl, T2 ) ] , 
restore (modified, file, passwd, from, backup) ) , 
recommended ( [not (behavior (A, 'copied  password  f ile' ,T1, T2 ) ) ] , 

[behavior (A, 'copied  password  f ile ' ,T1, T2 ) ] , 
change (permissions, file, passwd) ) . 
recommended ( [not (behavior (A, ' compromised  root  password' , Tl, T2 ) ) ] , 

[behavior (A, 'conpromised  root  password' ,T1, T2 )] , 
change (root , pas sword) ) , 

recommended ( [not (behavior (A, ' inserted  Tro j  an  Horse ' , File , Tl , T2 ) ) ) , 

[behavior (A, 'inserted  Trojan  Horse ', File, Tl, T2 )] , 
remove ( 'Trojzm' , 'Horse' , from.  File) ) . 

recommended ( [not (behavior (A, 'possible  Troj^m  Horse ', File, Tl, T2 )) 3 , 

[behavior (A, 'possible  Trojan  Horse' ,File,Tl,T2) ] , 
coirpare(  file.  File,  for,  'Trojan',  'Horse ',  with.  File,  on,  backup,  tape)  )  . 
recommended ( [not (behavior (A, 'possible  intruder ', Tl, T2 ) )] , 

[behavior (A, 'possible  intruder' ,T1,T2) ] , 
confront (user, A) ) . 
recommended ( 

[not (behavior ( Intruder, 'maliciously  chemged  user  password' , User , Tl, T2 ))] , 
[behavior (Intruder , 'maliciously  changed  user  password' , User, Tl, T2 )] , 
restore (user, password, for, User) ) , 
recommended ( 

[not (behavior (A, 'maliciously  changed  user  password' , Tl, T2 ))] , 

[behavior (A, 'maliciously  changed  user  password' , Tl, T2 )] , 
issue (A, new, user, password) ) . 

recommended ( [not (behavior (A, 'compromised  user  password' , A, T1,T2) )] , 

[behavior (A, ' compromised  user  password ', A, Tl, T2 )] , 
examine (user, password, A) ) . 

recommended ( [not (behavior (A, 'possible  compromised  user  password' , A, Tl, T2 ))] , 
[behavior (A, 'possible  compromised  user  password' ,A,T1,T2) ] , 
investigate (user , password, A) ) . 

recommended ( [not (behavior (A, 'maliciously  modified  file' ,X,T1,T2) ) ] , 

[behavior (A, 'maliciously  modified  f ile ' ,X, Tl, T2 ) ] , 
restore (modified, f ile, X, from, backup) ) . 
recommended( [not (behavior (A, 'maliciously  deleted  f ile ' ,X, Tl, T2 ) )] , 

[behavior (A, 'maliciously  deleted  f ile ' ,X, Tl, T2 ) ] , 
restore  (deleted,  f  ile,X,  f  rom,bac}cup)  )  . 

recommended( [checked (permissions , file ,X) ], check (permissions , file, X) ) . 
recommended ( [executed (password, cracker) 3 , execute (password, cracker ) ) . 
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recommeiidodC  [not  ( ins  ecure_pas  sword  (User) )  ]  , 

[known (insecure, password, for, User) ] , 
change (password, for, User) ) . 

recommended ( [found ( file, X, on, backup, tape) ] , f ind( file, X, on, backup, tape) ) . 
recommended ( [loaded (backup, tape) ] , load (backup, tape) ) • 
recommended ( [located (backup, tape) ] , locate (backup, tape) ) , 
recommended ( [stored (backup, tape) ] , store (backup, tape) ) . 


/*  Preconditions  */ 


procondition(change (permissions,  file, X) ,  [not  (changed (permissions,  file, X)  ) , 
checked (permiss ions, file,X)  ] )  . 
precondition (change (root , pas sword) , 

[not (changed (password, root) ) ] ) . 
precondition(remove( 'Trojem' , 'Horse ', from.  File) , 

[re8tored(file,File)3) . 

precondition  (coii5>are  (file.  File,  for,  'Trojan',  'Horse' ,  with.  File,  on,  backup,  tape) , 
[found (file, File, on, backup, tape) ] ) * 
precondition (confront (user, A) , 

[not (confronted (user, A) ) ] ) . 
precondition (restore (user, password, for, User) , 

[not (restored (pas sword, for, User) ) ] ) . 
precondition (is sue (A, new, user /password) , 

[not (issued (new, pas sword, to, A) ) 3 ) . 
precondition  (ex^aaine  (user,  pas  sword.  A)  , 

[not (examined (pas sword, A) ) ] ) . 
precondition (investigate (user, pas sword, A) , 

[not (investigated (password, A) ) ] ) . 
precondition (restore (modified, f ile,X, from, backup) , 

[found(file,X, on, backup, tape) ] ) . 
precondition ( restore (deleted, file , X, from, backup) , 

[found(file,X, on, backup, tape) ] ) , 
precondition(check (permissions, file, X) ,  [] ) . 
precondition (execute (password, cracker ) , 

[not (executed (password, cracker) ) ] ) . 

precondition (change (password, for, User) , [not (changed (password, for, User) ) ] ) . 
precondition(find(file,X, on, backup, tape) , [loaded (bac}oip, tape) ] ) . 
preconditiondoad (backup,  tape)  , 

[not (loaded (backup, tape) ) , located (backup, tape) 3 ) . 
precondition (locate (backup, tape) , 

[not  (located  (bac)cup,  tape)  )  ,  stored  (backup,  tape)  3 )  . 
precondition (store (backup, tape) , 

[not (stored (backup, tape) ) 3 ) . 


. . . . . . . . . . ......../ 

/*  AddPost Condition  Facts  */ 


addpo8tcondition(change (permissions, file, X) , [changed (permissions , file, X) ] ) . 
addpost condition (change (root, pas 8 word) , [changed (password, root) 3 ) . 
addpostcondition( remove ( 'Trojan' , 'Horse' , from.  File) , 

[ removed ( 'Trojan' , 'Horse ', from.  File) 3 ) . 
addpost condition ( 

con?>are (file, File , f or , ' Tro j  an ' , ' Hors  e ' , wi th , Pile , on , backup , tape ) , 
[con5>ared (file, File, for, 'Trojan  Horse ', with, File, on, backup, tape) ] ) . 
addpo8tcondition( confront (user, User) , [confronted (user, User) } ) . 
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addpostcondition(restore (user, password, for, User) , [restored (password, for , User ) ] ) . 
addpostconditiondnvestigate (user, password, A) , (investigated (user, password, A) ] ) . 
addpostcondition (examine (user, pas sword, User) , [examined (password, User) ] ) . 
addpost condition (is sue (User, new, user, password) , (i8sued(new,password, to,User) ] ) . 
addpostcondition ( check (permissions , f ile , X) ,  [checked (permissions , file, X) ] ) . 

addpostcondition(restore (modified, file,X, from, backup) , 

[modified_filo(X,P,0,T,S,B,M) ] , 

[re8torGd(file,X) ,file(X,P,0,T,S,B,M) ] ) . 
addpostcondition(restore (deleted, f ile, X,from,backup) , 

[deleted_file(X,P,0,T,S,B,M) ] , 

[rG8tored(file,X) ,filG(X,P,0,T,S,B,M) } ) . 
addpostcondition (execute (password, cracker) , [insocure^pas sword (User) ] , 

[executed (password, cracker) , 
known ( insecure, pas sword, for, User 1 ) , 

)cnown  ( insecure ,  pas  sword,  f  or ,  User2 ) , 
known  (insecure,  pas  sword,  for,User3 )  , 
known (insecure, pas sword, for,User4) ] ) , 
addpostcondition (change (password, for, User) , [changed (password, for, User) ] ) . 
addpo8tcondition(find(file,X,on, backup, tape) , (found(f ile, X, on, backup, tape) ] ) . 
addpostconditiondoad (backup,  tape) ,  [loaded (backup,  tape)  ] )  . 
addpostconditiondocate  (backup,  tape) ,  [located (backup,  tape)  ] )  . 
addpostcondition(store (backup, tape) , [stored (backup, tape) ] ) . 


DeletePostCondition  Facts  * / 


de le t epos t condition (change (permissions , file, pas swd) , 

[behavior (A, 'copied  password  f ile ' , Tl, T2 ) ] ) . 

<ieletepo8tconditioii(change  (root, password)  ,  /»  2  behaviors  deleted  •/ 

[behavior  (A, 'compromised  root  password' ,T1,T2) , 
behavior (Al, ' conpromi 8 ed  root  password' ,T3,T4) ]) . 
deletepo8tcondition(removo ( 'Trojan' , 'Horse ', from.  File), 

[behavior (A, 'inserted  Trojan  Horse' ,File,Tl,T2) 1 ) . 
deletepostcondition ( 

conpare (file , File , for , ' Tro j  an ' , ' Horse ' , with, File , on, backup , tape ) , 
[behavior (A, 'possible  Trojan  Horse ', File, Tl, T2 )]) , 
deletepostcondition (confront (user, A) , 

[behavior (A, 'possible  intruder' ,T1,T2) ] ) . 

deletepostcondition (investigate (user, password, A) , 

[behavior (A, 'possible  compromised  user  password' , A, Tl, T2 )]) . 
deletepostcondition (issue (A, new, user, password) , 

[behavior (A, 'maliciously  changed  user  password' ,T1,T2) ]) . 
deletepostcondition (restore (user, password, for, User) , 

[behavior (Intruder, 'maliciously  chzmgod  user  password' , User, T1,T2) ]) . 
deletepostcondition (examine (user, password, A) , 

[behavior (A, 'compromised  user  password' , A, T1,T2 ) ] ) . 

deletepo8tcondition(re8tore (modified,file,pa88wd,from,backup) , 
[modified_file(pa88wd,P,0,T,S,B,M) ,file(pas8wd,P,0,T,Sl,B,Ml), 

behavior (A, 'edited  password  f ile ' , Tl, T2 ) ] ) . 

deletepostcondition{restore (modified, file,X,from,backup), 
[modified_file(X,P,0,T,S,B,M),file(X,P,0,T,Sl,B,Ml) , 
behavior (A, 'maliciously  modified  f ile ' ,X, Tl, T2 ) ] ) . 

deletepostcondition(rGstore (deleted, file,X,from,backup) , 

[deleted_file(X,P,0,T,S,B,M) , 

behavior (A, 'maliciously  deleted  f ile ' ,X, Tl, T2 ) ] ) . 

deletepostcondition (check (permissions, file, X) ,  []) . 
deletepostcondition (execute (password, cracker) , [] ) . 
deletepostcondition ( change (password, for , User) , 

[insecure^pas sword (User) ] ) . 
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dGlotGpo8tcondition(find(file,X, on, backup, tape) , [] ) • 
dGlGtopostcondlt ion ( load (backup, tape ) , 

[rGmovGd (backup, tapG) ] ) . 

dGlGtGpostconditiondocatG  (backup,  tape) ,  [storGd(bac3cup,  tapo)  ] )  . 
dGlGtGpo8tcondition( store (backup, tape) , 

[located (backup, tape) , loaded (backup, tape) ] ) . 


* 
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TAB  4.  IDTS  FILES  MODULE 


Intrusion-Detection  Tutoring  System  (IDTS)  ♦/ 

LT  Sandra  J.  Schiavo,  U.S.  Navy,  Naval  Postgraduate  School,  Monterey  CA  93940  */ 

IDTS  Files  Module  ^ , 


This  module  contains  file  and  ins e cur e_pa8 sword  facts  which  store  the  */ 

initial  file  system  of  IDTS's  virtual  environment.  The  data  structure  of  a  */ 
file  facts  is  as  follows: 

...  ,  .  */ 
rile(<name>,<dir>,<owner>,<type>,<si26>,<protection>,<time>) .  */ 

*  / 

where,  <name>  is  any  legal  UNIX  file  name; 

<dir>  is  name  of  directory  file  <name>  resides;  */ 

<owner>  is  name  of  owner  of  file  <name>;  * ^ 

<type>  is  the  file  <name>'s  type,  either  directory , text , or  executable;  *i 

<size>  is  the  size  in  bytes  of  file  <namo>;  ♦/ 

<protection>  are  the  UNIX  permissions  for  file  <name>;  and  */ 

<time>  is  the  time  file  <name>  was  last  modified  by  <owner>,  */ 

*  / 

The  data  structure  for  insecure  password  is :  -k ^ 

*  / 

insocure_password(<user>) ,  where  <U8er>  is  the  name  of  user  in  the  system.  •/ 

^*************-tt'tt*kkkk*kkkkkkifk*k-^'^-^^-^-^-^-^-^-^  ^  ^  ^  ^  ^  ^  - 


: -dynamic  file/7. 


/*  Root  directories  and  files, 

l*********************************±*^k*±k*kkkkk*k**kki,i.**kki,k^*kkk*kk*kkkkkkkkkkkk  I 

^ root , root , root , directory, 100 , 'drwxr-xr-x ' , 100 ) 
file (bin, root, root, directory, 100, 'drwxr-sr-x' , 10) . 
file (users , root , root , directory, 100 , ' drwxr-sr-x  * , 10 ) 
file (su, bin, root, executable, 100, ' -rwxr-xr-x' , 10) . 
file (Is, bin, root, executable, 2000, ' -rwxr-xr-x' , 20) . 
file (cd, bin, root , executable , 5000 , ' -rwxr-xr-x ' , 30 ) 
file ( etc , root , root , directory, 100 , ' drwxr-sr-x ' , 10 ) 

file (passwd, etc, root, text, 1000, ' -rw-r— r-- ' , 40 ) , 


i*  Other  Users  and  their  files  in  the  System. 


f ile (adams, users, adams, directory, 100, 'drwxr-xr-x' ,100) . 
file  (diradams ,  adams ,  adams ,  directory,  512  ,  '  drwxr-xr-x ' ,  1002 )  . 

file (auxa,diradams, adams, text, 15 12, '-rw-r — r _ ',1000) . 

f ile (auxb, diradams, adams, text, 1224, ' -rw-r--r-- ' , 1234 ) . 
file (auxc, diradams, adams, text, 5 120, '-rw-r _ r _ ',1515) . 

file (brown,users,brown, directory, 100, 'drwxr-xr-x' , 100) . 

file (coleman, users , coleman, directory, 100, 'drwxr-xr-x' , 100) . 

(*i*vis  /Users , davis ,  directory,  100 ,  'drwxr-xr-x ' ,  100 ) 
file (goodnews/davis/davis, text, 1348, ' -rw-r--r-- ' ,2300) . 
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file(doG, users, doe, directory, 100, 'drwxr-xr-x' , 100) . 
file(bigpaper,doe,doe,text,30000, ' -rw-rw-rw- ' , 500) . 

file ( evens , users , ev2ms , directory, 100 , ' drwxr-xr-x ' , 100 ) . 
file(csclass, evens, evens, directory, 512, 'drwxr-xr-x' ,2100) . 
file{proj_ono,c8cla88,evans,exec,139268, '-rwxr--r — ',0808) . 

file (f ermer,user8, fenner, directory, 100, 'drwxr-xr-x' , 100) , 
file (secrets, fenner,fenner, text, 11348, '-rw-r — r — ',1212) . 

file  (greham, users, greUiam, directory,  100,  'drwxr-xr-x ',  100)  . 
file(iinport2mt, graham, graham, text,  10248,  '-rw-r — r — ',1734)  ♦ 

file(jones,user8,j ones, directory, 100, 'drwxr-xr-x' , 100) . 

file (dog, users, dog, directory, 100, 'drwxr-xr-x' , 100) . 
file (food, dog, dog, text, 1024, '-rw-r — r — ',2210) . 
file  (bark, dog, dog, text,  1024,  ' -rw-r--r— '  ,2210)  . 
file (wag, dog, dog, text, 1024, '-rw-r — r — ',2210) . 

file (smith, users, smith, directory, 100, 'drwxr-xr-x' ,100) . 
file (shortpaper, smith, smith, text, 5400, ' -rw-rw-rw- ' , 500) . 

file (tom, user 8, tom, directory, 100, 'drwxrwxrwx' , 100) , 
file (bb,tom, tom, text, 512, ' -rwxrwxrwx' ,1002) . 
file (aa, tom, tom,  text, 512, '-rwxrwxrwx' ,1002) . 
file  (ba,  tom, tom, directory,  512 ,  'drwxrwxrwx' ,  1002 )  . 

file (uri, users, uri, directory, 100, 'drwxr-xr-x' , 100) . 
file (ba,uri,uri, directory, 512, 'drwxr-xr-x' ,1002) . 
file (baseball, ba, uri, text, 512, '-rw-rw-r — ' ,1002) . 


/****♦. *****************^*** 

/*  Ins e cur e_pas sword  facts 

insecure _pas sword  (adams )  . 
insecure  password (graham) . 
insecure_password( farmer) . 
insecure_pa8 sword (smith) . 
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TAB  5.  IDTS  SAMPLE  AUDITFILE  MODULE 


****************************±**^ititiiit*it*itit*itiiitititit**ititititit**itititit***it*’k*itit*it**itmit*itit^ 

Intrusion-Detection  Tutoring  System  Program  —  Version  1  (IDTS)  */ 

LT  Sandra  J.  Schiavo,  U.S.  Navy,  Naval  Postgraduate  School,  Monterey  CA  93940  */ 

IDTS  San^jle  Audit  File  —  audit  file 


This  module  contains  sample  audit  facts  that  may  be  used  by  IDTS, 
The  data  structure  for  an  audit  fact  is  as  follows: 

audit  (<u8er>, <time>,  <directory>, <coinmand>,  <ro8ult>)  , 


V 

V 

V 

V 

V 

V 

*/ 

where  <user>  is  a  user  name  on  the  system,  * / 

<time>  is  an  integer  and  time  <command>  was  executed  * / 

<directory>  is  the  <user>'s  current  directory  where  <comiiiand>  executed  */ 
<command>  is  the  UNIX  command  issued  at  <time>  by  <user>  * j 

<result>  is  the  result  of  executing  <coinmand>,  and  can  be  either,  "ok,"  *! 

"fail,"  an  integer,  or  a  mail  message.  */ 

^  **********************  it**  HI,  *  itit  *  / 


audit ( adams , 10 , none , ' login  adams  ' , ok ) . 
audit ( adams ,30, none , ' login  adams ' , ok) . 
audit (adams, 20, adams, Is, ok) . 

t  ( adams  ,30,  adams ,  '  cd  dir  adams ' ,  ok )  . 
audit  ( adams  ,35,  diradams ,  Is ,  ok )  . 
audit (adams, 40, dir adams, 'emacs  auxa',1014) . 
audit  ( adeuns  ,50,  diradauns ,  '  rm  auxa ' ,  ok )  . 
audit ( adams ,60, diradams , ' emacs  auxb ',1212) . 
audit (adams, 70, dir adams, 'rm  auxb', ok), 
audit  (adatms ,  80, diradams,  'emacs  auxc ' ,  1346)  . 
audit (adams, 90, diradams, 'rm  auxc' ,ok) . 
audit  (adams ,  100 , dir adauns ,  cd, ok)  . 
audit  ( adams ,  110 ,  adams ,  ' rmdir  diradams ' ,  ok)  . 
audit  ( adams  ,120,  adauns ,  logout ,  ok )  . 
audit (brown, 130, none, 'login  brown', fail) . 
audit (brown, 13 2, none, 'login  brown', fail) . 
audit (brown, 13 4, none, 'login  brown', fail) . 
audit (brown, 136, none, 'login  brown', ok) . 
audit (brown, 138,brown,yppas8wd, ok) . 
audit (brown, 140, brown, logout , ok) . 

^'idit  (colemam,  160 , none#  'login  coleman' , f ail)  . 
^^^it ( col eman, 17 0 , none ,' login  coleman' , fail ) . 
audit (coleman, 180, none, 'login  coleman' , fail) , 
audit ( davis ,190, none , ' login  davis ' , ok ) , 
audit (davis, 200, davis, 'emacs  goodnews ' , 2372 ) . 
audit (root, 3 15, none, 'login  root', fail) . 
audit (root, 3 2 4, none, 'login  root', ok) . 
audit (root, 329, root, 'cd  bin', ok) . 
audit (davis , 410 , davis , logout , ok) ♦ 
audit ( evans ,420, none , ' login  evans ' , ok ) , 
audit ( evans ,430, evans , Is , ok ) . 
audit (evans, 4 40, evans, 'cd  cs class ' ,ok) . 
audit (evans, 450, csclass, Is, ok) . 

audit  (evans ,  460 ,  csclass ,  'emacs  proj__one ',  140292 )  . 

audit (root, 589, bin, 'emacs  Is ',3024) . 

audit ( evans , 880 , csclass , logout , ok) . 

audit (smith, 859, none, 'login  smith' , ok) . 

audit (smith, 900, smith, 'cd  etc' ,ok) . 

audit (smith, 901, etc, 'cp  passwd  -smith', ok). 
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audit (smith, 902, etc, logout, ok) . 

audit (j ones, 910, none, 'login  j ones', ok) . 

audit (jones, 910, jones, su, fail) . 

audit (j ones, 911, j ones, su, fail)  . 

audit (jones, 912, jones, su, fail) . 

audit (jones, 920, jones, su, ok) . 

audit (jones, 921, root, 'cd  -fanner' ,ok) . 

audit (jones, 922, farmer, Is, ok) . 

audit (jones, 923 , farmer, 'rm  secrets ' ,ok) . 

audit (jones, 924, farmer, yppasswd, ok) . 

audit (jones, 925, farmer, 'cd  -graham', ok) . 

audit (jones, 92 6, graham, Is, ok) . 

audit (jones, 927, graham, 'emacs  important ' ,11272) . 

audit (brown, 1030 , none, 'login  brown', fail) . 

audit (brown, 1031, none, 'login  brown', fail) . 

audit (brown, 103 2, none, 'login  brown', fail) . 

audit  (brown,  10  3  3,  none,  'mail  root' ,  bad  (pas  sword,  brown) )  . 

audit (root, 1119, bin, 'emacs  cd' ,4979) . 

audit (farmer, 12 03, none, 'login  farmer ', fail) . 

audit (farmer, 12 04, none, 'login  f armer ' , f ail) . 

audit (farmer, 12 05, none, 'login  f armer ', fail) . 

audit ( f armer ,1206, none , ' login  f armor ' , f ail ) . 

audit  (farmer,  1207,  farmer,  'siail  root ',  bad  (pas  sword,  farmer) )  . 

audit  (root,  1211, root, mail, ok)  . 

audit (farmer, 1220, farmer, 'mail  root ', bad (secrets, farmer) ) « 

audit ( root , 1394 , root , ' cd  -dog ' , ok ) . 

audit (root , 1395, dog, 'rm  *',ok). 

audit (root, 1396, dog, cd, ok) . 

audit ( root ,1400, root , ' login  root ' , ok ) , 

audit ( root , 1421 , root , logout , ok ) . 

audit  ( graheun,  1500,  none ,  '  login  graham ' ,  ok )  . 

audit  (graham,  1501, graham.  Is, ok)  . 

audit  (graheun,  1502 ,  graheun,  'mail  root ',  bad  (important,  grahzun)  )  . 

audit (root, 15 03, root, mail, ok) , 

audit (uri, 2119 , none, 'login  uri' ,ok) . 

audit (uri, 2127, uri, 'cd  ba',ok). 

audit (uri, 2216, ba, 'rm  *',ok). 

audit (uri, 22 18, ba, logout, ok) . 

audit { tom, 27 13 , none , ' login  tom ' , ok ) . 

audit (tom, 2732 , tom, 'cd  ba',ok). 

audit (tom, 2749, ba, 'cp  aa  guest /aa ', ok) . 

audit (tom, 2754, ba, logout, ok) , 

audit (root ,4 47 4, none, 'login  root', fail), 

audit (root, 4 47 5, none, 'login  root', fail) . 

audit ( root , 447  6 , none , ' login  root ' , fail ) , 

audit (root, 44 9 3, none, 'login  root', ok) , 

audit (root, 449 9, root , 'cd  etc' ,ok) . 

audit (root , 5087 , etc, 'emacs  passwd' , 1017) . 

audit (root, 5088, etc, cd, ok) , 

audit (root, 50 8 9, root, 'cd  bin', ok). 

audit (root, 5205, bin, 'mail  root ' ,bad(cd,bin) ) . 

audit (root , 52 08, bin, logout , ok) . 

audit (tom, 63 51, none, 'login  tom', ok) . 

audit (tom, 6355, tom, 'cd  ba',ok). 

audit (tom, 6421,ba, 'emacs  ab' , 12345) . 

audit (tom,  6428, ba, logout, ok) . 

audit (doe, 8982 , none, 'login  doe ' ,ok) . 

audit (doe, 9 3 15, doe, 'emacs  bigpaper' , 29947 ) . 

audit (doe, 9335 , doe, 'emacs  csproject ' , 1024) . 

audit (doe, 9352 , doe, Is, ok) . 

audit (doe, 9360, doe, 'emacs  csproject ' ,4096) . 
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audit (doe, 9 37 3, doe, 'mail  root ', bad (Is, bin) ) . 
audit (doe, 9375, doe, 'mail  root ', bad (doe file, doe) ) , 
audit (doe, 9379 , doe, logout , ok) , 
audit ( dog ,9400, none , ' login  dog ' , ok ) . 
audit (dog, 9403 , dog, Is, ok) . 

audit (dog, 9404, dog, 'mail  root ', bad (bark, dog) ) . 
audit (dog, 9405, dog, logout, ok) . 
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APPENDIX  B:  SAMPLE  SCRIPT  RUNS  WITH  IDTS 


The  following  are  four  script  runs  of  IDTS  using  four  different  test  audit  files.  The 
four  different  script  runs  are  divided  into  the  following  appendix  tabs: 


Tab  1.  Test  Auditfile  1 

Tab  2.  Test  Auditfile  2 

Tab  3.  Test  Auditfile  3 

Tab  4.  Test  Auditfile  4 
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TAB  1.  TEST  AUDITFILE  1 


The  following  is  the  audit  file  used  for  Run  1: 

audit(adanis,10,none, ’login  adams’,ok). 
audit(adains30,none,’login  adams’^ok). 
audit(adams^O,adanis,ls,ok). 
audit(adanis30,adams,’cd  diradams’,ok). 
audit(adani  s  ,3  5  ,diradam  s  Js,ok) . 
audit(adains,40,diradams,  ’emacs  auxa’  ,1014). 
audit(adams,50,diradams,’mi  auxa’,ok). 
audit(adams,60,diiadams,’emacs  auxb’,1212). 
audit(adams,70,diradanis,’rm  auxb’,ok). 
audit(adams,80,diradams,’emacs  auxc’,1346). 
audit(adanis,90,diradains,’rm  auxc’,ok). 
audit(adanis,  1 00,diradams,cd,ok). 
audit(adams,110,adanis,’rmdiT  diradams’,ok). 
audit(adan]s,120,adams,logout,ok). 
audit(brown,130,none,’login  brown’, fail). 
audit(brown,132,none, ’login  brown’,fail). 
audit(brown,134,none,’login  brown’,fail). 
audit(brown,136,none,’login  brown’,ok). 
audit(brown,  1 38,brown,yppasswd,ok). 
audit(brown,140,brown,logout,ok). 
audit(coleman,l^,none,’login  coleman’,fail). 
audit(coleman,170,none,’login  coleman’,fail). 
audit(coleman,180,none,’login  coleman’,fail). 
audit(davis,190,none,’login  davis’,ok). 
audit(davis,200,davis,’emacs  goodnews’,2372). 
audit(root,3 15,none, ’login  root’,fail). 
audit(root,324,none,’login  root’,ok). 
audit(root,329,root,’cd  bin’,ok). 
audit(davis,410,davis,logout,ok). 
audit(evans,420,none,’login  evans’,ok). 
audit(evans,430,evans,ls,ok). 
audit(e  vans,440,e  vans,  ’  cd  csclass’  ,ok) . 
audit(evans,450,csclass,ls,ok). 
audit(e  vans  ,460,csclass,  ’emacs  proj_one’ , 1 40292) . 
audit(root,589,bin,’eniacs  ls’,3024). 
audit(ev^s,880,csclass,logout,ok). 
audit(smith,859,none,’login  smith’,ok). 
audit(smith,900,smith,’cd  etc’,ok). 
audii(smith,901,etc,’cp  passwd  '-smith’,ok). 
audit(smith,902,etc,logout,ok). 
audit(jones, 910,none, ’login  jones’,ok). 
audi  t(jones,9 1 0  jones,su  ,fail) . 
audit(jones,91 1  jones,su,fail). 
auditQones,912jones,su,fail). 
audit(jones,920jones,su,ok). 
audit0ones,92 1 4-oot,’cd  '-farmer  ’  ,ok). 
audit0ones,922,farmer,ls,ok). 
audit0ones,923,farmer,’rm  secrets’,ok). 
audit(jones,924,farmer,yppasswd,ok). 
audit(jones,925,farmer,’cd-'graham’,ok). 
audit(jones,926,graham,ls,ok). 
auditGones,927,graham,’emacs  important’, 11272). 
audi t(brown , 1 030,none, ’ login  brown ’ ,fail) . 
audit(brown,1031,none,’login  brown’iail). 
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audit(brown,1032,none,’login  brown’,fail). 
audit(brown, 1033,none, ’mail  root’, bad(password, brown)). 
audit(root,  1 1 19,bin,’emacs  cd’  ,4979). 
audit(fanner,1203,none,’login  f^armer’dail). 
audit(fanner,1204,none,’login  farmer’d^ail). 
audit(fanner,1205,none,’login  farmer’/ail). 
audit(farmer,1206,none,’login  farmer’d'ail). 
audit(farmer,1207,farmer,’mailroot’,bad(passworddarmer)). 
audit(root,121 1  joot,mail,ok). 

audit(fanner,1220,farmer,’mailroot’,bad(secrets  .farmer)). 
audit(root,13944-oot,’cd  ~dog’,ok). 
audit(root,1395,dog,’rm  *’,ok). 
audit(root,  1 396,dog,cd,ok). 
audit(root,14004’oot,’loginroot’,ok). 
audit(root, 142 1 40ot4ogout,ok). 
audit(graham,1500,none,’login  graham’.ok). 
audit(graham,  1501  ,graham,is,ok). 

audit(graham,1502,graham,’mailroot’,bad(important,graham)). 

audit(root,1503joot,mail,ok). 

audit(uri,2119,none,’login  uri’,ok). 

audit(uri,2127,uri,’cd  ba’.ok). 

audit(uri,2216,ba,’rm  *’,ok). 

audit(iiri,2218,ba4ogout,ok). 

audit(tom,27134ione,’login  tom’.ok). 

audit(tom,2732,tom,’cd  ba’.ok). 

audit(tom,2749,ba,’cp  aa  guesi^aa’.ok). 

audit(tom,2754,ba4ogout,ok). 

audit(root,44744ione,’loginroot’4ail). 

audit(root,4475,none,’login  root’,fail). 

audit(root,4476,none,  ’  login  root’  4ail). 

audit(root,4493,none,  ’login  root’,ok). 

audit(root,44994‘oot,’cd  etc’.ok). 

audit(root,5087,etc,’emacs  passwd’,1017). 

audit(root,5088,etc,cd,ok). 

audit(root,5089/oot,’cd  bin’.ok). 

audit(root,5205,bin,’mail  root’,bad(cd,bin)). 

audit(root,5208,bin4ogout,ok). 

audit(tom,63 5 1  .none,  ’login  tom  ’  ,ok). 

audit(tom,6355,tom,’cd  ba’.ok). 

audit(tom,6421,ba,’emacsab’,12345). 

audit(tom,6428,ba4ogout,ok). 

audit(doe,8982,none, ’login  doe’.ok). 

audit(doe,9315,doe,’emacs  bigpaper’.29947). 

audit(doe,9335,doe,’emacs  csproject’,1024). 

audit(doe,9352,doe4s,ok). 

audit(doe,9360,doe,’emacs  csproject’,4096). 

audit(doe,9373,doe,’mailroot’,bad(ls,bin)). 

audi  t(doe,937 5 ,doe,’mail  root  ’  ,bad(doefile,doe)) . 

audit(doe,9379,doe,logout,ok). 

audit(dog,9400,none,’login  dog’.ok). 

audit(dog,9403,dog,ls,ok). 

audit(dog,9404,dog,’mail  root’  ,bad(bark,dog)). 

audit(dog,9405,dog,logout,ok). 
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The  following  is  the  script  of  Run  1 : 


Script  started  on  Thu  Mar  16  00:16:45  1995 
« alias:  No  such  file  or  directory. 

[7inai2  :  /user8/work4/schiavo/Thesis/Tutor>>  [mprolog 


Quintus  Prolog  Release  3.1.1  (Sun- 4,  SunOS  4.0) 

Copyright  (C)  1990,  Quintus  Corporation.  All  rights  reserved. 

2100  Geng  Road,  Palo  Alto,  California  U.S.A.  (415)  813-3800 

I  ?-  [intruder] . 

%  compiling  file  /tnrp^mnt /users /work4/schiavo/Thesi8/Tutor/intruder .pi 
%  compiling  file  /tnp^mnt /users /work4/8chiavo/The8 is /Tutor /metutorSO  .pi 
%  Undefined  procedures  will  just  fail  ('fail'  option) 

%  loading  file  /usr / local /q3 .1.1 /generic /qplib3 .1.1 /library /random. qof 
%  foreign  file  /usr / local /q3 . 1. 1 /generic /qplib3 .1. 1/ library /8un4 -4/ libpl . so  loaded 
%  random. qof  loaded,  0.134  sec  9,392  bytes 
%  module  random  imported  into  user 

*  Clauses  for  writefact/2  are  not  together  in  the  source  file 

%  metutor30.pl  compiled  in  modulo  user,  3.367  sec  50,420  bytes 
%  conpiling  file  / tmp_mnt /us ers/work4/schiavo /The sis /Tutor /audit file 
%  auditfile  conpiled  in  module  user,  0.417  sec  8,744  bytes 
%  compiling  file  /tmp_mnt /users /work4/schiavo/Thesis/Tutor/filetree 
%  filetree  compiled  in  module  user,  0.467  sec  5,240  bytes 
%  compiling  file  /tmp_mnt /users /work4/8chiavo /The sis /Tut or /rules 

*  Clauses  for  behavior/ 5  are  not  together  in  the  source  file 

*  Clauses  for  behavior/4  are  not  together  in  the  source  file 

%  rules  conpiled  in  module  user,  0.666  sec  7,416  bytes 

%  compiling  file  /tnp_mnt /users /work4/schiavo/The8is /Tutor/ files 
%  files  compiled  in  module  user,  0.117  sec  4,276  bytes 
%  compiling  file  /tmp^mnt /users /work4/schiavo/Thesi8/Tutor/operators 

*  Clauses  for  recommended/3  are  not  together  in  the  source  file 

*  Clauses  for  recommended/2  are  not  together  in  the  source  file 

*  Clauses  for  addpo8tcondition/2  are  not  together  in  the  source  file 
%  operators  compiled  in  module  user,  0.583  sec  8,268  bytes 

%  intruder.pl  compiled  in  module  user,  6.383  sec  95,212  bytes 

yes 

I  7-  statistics. 


memory  (total) 

649696  bytes: 

458764  in  use. 

190932 

free 

progr2un  space 

327700  bytes 

global  space 

65532  bytes: 

26688  in  use. 

38844 

free 

global  stack 

24584  bytes 

trail 

16  bytes 

system 

2088  bytes 

local  stack 

65532  bytes: 

440  in  use. 

65092 

free 

local  stack 

416  bytes 

system 

24  bytes 

0.000  sec.  for  0  global  zmd  3  local 

space  shifts 

0.000  sec,  for  0  garbage  collections 

which  collected  0  bytes 

5.933  sec.  runtime 

yes 

I  7-  start. 
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AUDIT  FILE 


The  following  displays  the  current  contents  of  the  audit  file:  • 

* 


Neune 

Time 

Path 

Command 

Result 

adanLS 

10 

none 

login  ad^^n8 

ok 

adams 

20 

adauns 

Is 

ok 

adams 

30 

adams 

cd  diradams 

ok 

adaxos 

30 

none 

login  adams 

ok 

adams 

35 

diradams 

Is 

ok 

adams 

40 

diradams 

emacs  auxa 

1014 

adzuQS 

50 

diradams 

rm  auxa 

ok 

adams 

60 

diradams 

emacs  auxb 

1212 

adams 

70 

diradeans 

rm  a\ixb 

ok 

adams 

80 

diradams 

emacs  auxc 

1346 

adams 

90 

diradams 

rm  auxc 

ok 

adams 

100 

diradams 

cd 

ok 

adams 

110 

adams 

rmdir  diradams 

ok 

adams 

120 

adeuns 

logout 

ok 

brown 

130 

none 

login  brown 

fail 

brown 

132 

none 

login  brown 

fail 

brown 

134 

none 

login  brown 

fail 

brown 

136 

none 

login  brown 

ok 

brown 

138 

brown 

yppasswd 

ok 

brown 

140 

brown 

logout 

ok 

brown 

1030 

none 

login  brown 

fail 

brown 

1031 

none 

login  brown 

fail 

brown 

1032 

none 

login  brown 

fail 

brown 

1033 

none 

mail  root 

bad  (pas sword ,  brown ) 

coleman 

160 

none 

login  coleman 

fail 

coleman 

170 

none 

login  colem^m 

fail 

coleman 

180 

none 

login  colemcin 

fail 

davis 

190 

none 

login  davis 

ok 

davis 

200 

davis 

emacs  goodnews 

2372 

davis 

410 

davis 

logout 

ok 

doe 

8962 

none 

login  doe 

ok 

doe 

9315 

doe 

emacs  bigpaper 

29947 

doe 

9335 

doe 

emacs  csproject 

1024 

doe 

9352 

doe 

Is 

ok 

doe 

9360 

doe 

emacs  csproject 

4096 

doe 

9373 

doe 

mail  root 

bad (Is, bin) 

doe 

9375 

doe 

mail  root 

bad(doef ile, doe) 

doe 

9379 

doe 

logout 

ok 

dog 

9400 

none 

login  dog 

ok 

dog 

9403 

dog 

Is 

ok 

dog 

9404 

dog 

mail  root 

bad (bark, dog) 

dog 

9405 

dog 

logout 

ok 

evans 

420 

none 

login  evans 

ok 

evans 

430 

evans 

Is 

ok 

evans 

440 

evans 

cd  csclass 

ok 

evans 

450 

csclass 

Is 

ok 

evans 

460 

csclass 

emacs  proj_one 

140292 

evans 

880 

csclass 

logout 

ok 

farmer 

1203 

none 

login  farmer 

fail 

farmer 

1204 

none 

login  farmer 

fail 
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farmer 

1205 

none 

login  farmer 

fail 

farmer 

1206 

none 

login  farmer 

fail 

farmer 

1207 

farmer 

mail  root 

bad  (password,  farmer) 

farmer 

1220 

farmer 

mail  root 

bad (secrets, farmer) 

graham 

1500 

none 

login  graham 

ok 

graii2aa 

1501 

graham 

Is 

ok 

graham 

1502 

graham 

mail  root 

bad  ( important ,  graham) 

jones 

910 

jones 

su 

fail 

jones 

910 

none 

login  jones 

ok 

jones 

911 

jones 

su 

fail 

jones 

912 

jones 

su 

fail 

jones 

920 

jones 

su 

ok 

jones 

921 

root 

cd  -farmer 

ok 

jones 

922 

farmer 

Is 

ok 

jones 

923 

farmer 

rm  secrets 

ok 

jones 

924 

farmer 

yppasswd 

ok 

jones 

925 

farmer 

cd  -graham 

ok 

jones 

926 

graham 

Is 

ok 

jones 

927 

graham 

emacs  important 

11272 

root 

315 

none 

login  root 

fail 

root 

324 

none 

login  root 

ok 

root 

329 

root 

cd  bin 

ok 

root 

589 

bin 

emacs  Is 

3024 

root 

1119 

bin 

emacs  cd 

4979 

root 

1211 

root 

mail 

ok 

root 

1394 

root 

cd  -dog 

ok 

root 

1395 

dog 

rm  * 

ok 

root 

1396 

dog 

cd 

ok 

root 

1400 

root 

login  root 

ok 

root 

1421 

root 

logout 

ok 

root 

1503 

root 

mail 

ok 

root 

4474 

none 

login  root 

fail 

root 

4475 

none 

login  root 

fail 

root 

4476 

none 

login  root 

fail 

root 

4493 

none 

login  root 

ok 

root 

4499 

root 

cd  etc 

ok 

root 

5087 

etc 

emacs  passwd 

1017 

root 

5088 

etc 

cd 

ok 

root 

5089 

root 

cd  bin 

ok 

root 

5205 

bin 

mail  root 

bad (cd, bin) 

root 

5208 

bin 

logout 

ok 

smith 

859 

none 

login  smith 

ok 

smith 

900 

smith 

cd  etc 

ok 

smith 

901 

etc 

cp  passwd  -smith 

ok 

smith 

902 

etc 

logout 

ok 

tom 

2713 

none 

login  tom 

ok 

tom 

2732 

tom 

cd  ba 

ok 

tom 

2749 

ba 

cp  aa  guest/aa 

ok 

tom 

2754 

ba 

logout 

ok 

tom 

6351 

none 

login  tom 

ok 

tom 

6355 

tom 

cd  ba 

ok 

tom 

6421 

ba 

emacs  ab 

12345 

tom 

6428 

ba 

logout 

ok 

uri 

2119 

none 

login  uri 

ok 

uri 

2127 

uri 

cd  ba 

ok 

uri 

2216 

ba 

rm  * 

ok 

uri 

2218 

ba 

logout 

ok 
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MAIL  RECEIVED 


The  following  displays  mail  received  by  root: 


From  To  Time  Problem  (File,  Directory) 

brown  root  1033  bad (pas sword, brown) 

doe  root  9373  bad (Is, bin) 

doe  root  9375  bad (doe file, doe) 

dog  root  9404  bad (bark, dog) 

farmer  root  1207  bad (password, farmer) 

farmer  root  1220  bad (secrets, farmer) 

grediam  root  1502  bad(iir5)ortant,greLham) 

root  root  5205  bad  (cd,  bin) 

%  Undefined  procedures  will  just  fail  ('fail'  option) 
Warnings : 

This  fact  is  not  removable:  changed (password, root) 

This  fact  is  not  rerooveJ^le:  confronted (user, _14117) 

This  fact  is  not  removable:  examined (password, _14 051) 

This  fact  is  not  removable:  executed (password, cracker) 

This  fact  is  not  removedale:  investigated (pas sword, _14 030) 
This  fact  is  not  relnov^d)le:  changed  (password,  for,  _13  98  8) 

This  fact  is  not  removable:  changed (permissions, file, _14 160) 
This  fact  is  not  removable:  restored (password, for, _14096 ) 
This  fact  is  not  removadjle:  issued (now, password, to, _14074) 

Your  objectives: 

bac)cup  tape  is  stored  emd  password  cracker  is  executed. 

Wait  a  moment  while  I  analy2e  the  problem  thoroughly. 


*  To  see  a  list  of  possible  actions,  type  the  letter  "h"  or  the  word 

*  "help."  To  review  the  audit  file  or  your  mail  at  anytime,  type  the 

*  word  "audit file"  or  "mail"  respectively. 

« 

Type  h  for  help. 

************  These  facts  are  now  true:  ************* 

bac)cup  tape  is  stored, 

mail (brown, root, 1033 , bad (pas sword, brown) )  is  true, 
mail (doe, root, 9373, bad (Is, bin) )  is  true, 
mail (doe, root, 9375,bad(doefile,doe) )  is  true, 
mail (dog, root, 9404, bad (bark, dog) )  is  true, 
mail (farmer , root , 1207 , bad (password, farmer ) )  is  true, 
mail { farmer, root, 1220, bad (secret 8, farmer) )  is  true, 
mail (graham, root, 1502 , bad (import ant, graham) )  is  true, 
and  mail (root, root, 52 05, bad (cd, bin) )  is  true. 

Select  an  action:  execute  password  cracker 
You  chose  to  execute  password  cracker. 

I  am  thinking .... 

OK,  but  a  hint:  "restore  modified  file  passwd  from  bac}cup" 
is  more  important  now  than  "execute  password  cracker". 

************  These  facts  are  now  true:  ************* 
password  cracker  is  executed. 
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backup  tape  is  stored, 

knovm  (insecure,  pa  SB  word,  for,  adeuas)  is  true, 
known (in8ecure,pa8sword,  for,  smith)  is  true, 

root ,  1033 , bad  (password, brown)  )  is  true, 
mail  (doe, root, 9373, badds, bin)  )  is  true, 

®^il (doe, root, 9375 , bad (doefile, doe ) )  is  true, 
mail (dog, root, 9404, bad (bark, dog) )  is  true, 
mail (farmer, root, 1207, bad (password, farmer) )  is  true, 
mail (farmer, root, 1220, bad(secrets, farmer) )  is  true, 
mail (graham, root , 1502 , bad (important , graham) )  is  true, 
and  maiKroot, root, 5205, bad(cd, bin) )  is  true. 

Select  an  action:  restore  modified  file  passwd  from  backup 
You  chose  to  restore  modified  file  passwd  from  backup. 

>>>>Operator  restore (modified, file, passwd, from, bac)cup)  could  not  be  applied  to: 
password  cracker  is  executed, 
bac)cup  tape  is  stored, 

known  (insecure,  pa  ssword,f  or,  adams)  is  true, 

known (insecure,pa88word, for, smith)  is  true, 

mail (brown, root, 103 3, bad (pas sword, brown) )  is  tzue, 

maiKdoe, root, 9373, badds, bin)  )  is  true, 

mail (doe, root, 9375, bad(doefile, doe) )  is  true, 

mail(dog,root, 9404, bad(bark, dog) )  is  true, 

mail (farmer , root , 1207 , bad (password, farmer) )  is  true, 

mail (f armer, root, 1220, bad ( secrets, f armer ) )  is  true, 

mail (graham, root, 1502, bad (important, graham) )  is  true, 

and  mail (root, root, 52 05, bad (cd, bin) )  is  true 

>»>Operator  restore  (modified,  file,  passwd,  from,  baclcup)  could  not  be  applied  to: 
password  cracker  is  executed, 
backup  tape  is  stored, 

known  (insecure,  password,  for,  adeons)  is  true, 
known (insecure, password, for, smith)  is  true, 
mail (brown, root , 1033 ,bad(password, brown) )  is  true, 
mail(doe,root, 9373, badds, bin)  )  is  true, 
mail(doe,root, 9375, bad(doefile, doe) )  is  true, 
t^og, root , 9404 , bad (bark, dog) )  is  true, 
mail (farmer , root , 1207 , bad (password, farmer) )  is  true, 
mail (farmer, root, 1220, bad ( secrets, f armer ) )  is  true, 
mail (graham, root , 1502 , bad (important , graham) )  is  true, 
and  mail (root, root, 52 05, bad (cd, bin) )  is  true 
That  action  requires  that: 
found (file,passwd, on, backup, tape)  is  true. 

************  facts  are  now  true:  ************* 

password  cracker  is  executed, 
backup  tape  is  stored, 

known{in8ecure, password, for, _323991)  is  true, 
known(insecure, password, for, _323998)  is  true, 

)cnown  ( ins  e  cure,  pas  sword,  for,  _324005)  is  true, 
niail  (brown,  root ,  1033 , bad  (password, brown)  )  is  true, 
mail(doe,root, 9373, badds, bin)  )  is  true, 
mail (doe, root, 9375, bad (doefile, doe) )  is  true, 
maiKdog, root, 9404, bad(bark, dog)  )  is  true, 
maiKfarmer, root, 1207, bad(pa8sword, farmer)  )  is  true, 
mail (farmer, root , 12 20, bad ( secrets, farmer) )  is  true, 
mail (graham, root, 15 02, bad (import ant, graham) )  is  true, 
and  mail (root, root, 52 05, bad (cd, bin) )  is  true. 

Select  an  action:  find  file  passwd  on  bac)cup  tape 
You  chose  to  find  file  passwd  on  bacJcup  tape. 

>>>>0perator  find (file, passwd, on, backup, tape)  could  not  be  applied  to: 
password  cracker  is  executed, 
bac)aip  tape  is  stored, 

known (insecure, pas sword, for, adams)  is  true. 
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known (insecure, pas sword, for, smith)  is  true, 

mail (brown, root , 1033 , bad (pas sword, brown) )  is  true, 

mail (doe, root, 9373, bad (Is, bin) )  is  true, 

mail (doe, root, 9375,bad(doe£ile,doe) )  is  true, 

mail (dog, root, 9404, bad (bark, dog) )  is  true, 

mail (farmer, root , 1207 , bad (password, farmer) )  is  true, 

mail (farmer, root, 1220, bad (secrets, f armer ) )  is  true, 

mail (gr^Qlam, root,  15 02, bad (importemt, graham) )  is  true, 

€m.d  mail  (root, root,  52 05, bad (cd, bin ) )  is  true 

>»>Operator  f ind( file, pass wd, on, backup, tape)  could  not  be  applied  to: 
password  cracker  is  executed, 
backup  tape  is  stored, 

known  (insecure,  pas  sword,  for ,  adeons )  is  true, 

known (insecure, pas sword, for, smith)  is  true, 

mail (brown, root, 103 3, bad (pas sword, brown ) )  is  true, 

mail (doe, root, 9373, bad(ls, bin) )  is  true, 

mail (doe, root , 9375, bad (doefile, doe) )  is  true, 

mail (dog, root, 9404, bad (bark, dog) )  is  true, 

mail (farmer, root, 12 07, bad (pass word, f armer ) )  is  true, 

mail (farmer, root, 1220, bad (secrets, farmer) )  is  true, 

mail  (graham,  root,  1502,  bad  (is^ortant,  graham) )  is  true, 

and  maiKroot, root, 5205, bad(cd, bin) )  is  true 

Eave  you  confused  "backup  tape  is  loaded"  with  "backup  tape  is  stored"? 
That  action  requires  that: 
backup  tape  must  be  loaded. 

************  These  facts  are  now  true:  ************* 
password  cracker  is  executed, 
bacDcup  tape  is  stored, 

known (insecure, password, for, adams)  is  true, 

known (insecure, pas sword, for, smith)  is  true, 

mail (brown, root, 103 3, bad (pas sword, brown ) )  is  true, 

mail (doe, root , 9373 , bad (Is , bin) )  is  true, 

mail (doe, root , 9375, bad(doefilo, doe) )  is  true, 

mail (dog, root, 94 04, bad (bark, dog) )  is  true, 

mail (farmer, root, 12 07, bad (pas sword, f armor ) )  is  true, 

mail (farmer, root, 1220, bad ( secrets, farmer ) )  is  true, 

mail  (grah2un, root,  15 02, bad (iii5>ort ant, graham) )  is  true, 

and  mail (root, root, 52 05, bad (cd, bin) )  is  true. 

Select  2UI  action:  load  bac}cup  tape 
You  chose  to  load  backup  tape. 

>>>>Operator  load (backup, tape)  could  not  be  applied  to: 
password  cracker  is  executed, 
backup  tape  is  stored, 

known (insecure, pas sword, for, adams)  is  true, 

known (insecure, password, for, smith)  is  true, 

mail (brown, root, 1033 , bad (password, brown) )  is  true, 

maiKdoe, root,  9373  ,bad(l8, bin) )  is  true, 

mail (doe, root , 937 5, bad (doefile, doe) )  is  true, 

mail (dog, root , 94 04, bad (bark, dog) )  is  true, 

mail (farmer, root, 1207, bad (password, f armer ) )  is  true, 

mail (farmer, root, 1220, bad (secrets, farmer) )  is  true, 

mail  (grediam,  root ,  1502 , bad  (important ,  graham)  )  is  true, 

and  maiKroot, root,  5205, bad(cd, bin) )  is  true 

>>>>Operator  load (backup, tape)  could  not  be  applied  to: 

password  cracker  is  executed, 

backup  tape  is  stored, 

known (in8ecure,pa88word, for, adams)  is  true, 

known (insecure, pas 8 word, for, smith)  is  true, 

mai 1 (brown, root, 10 3 3, bad (pas sword, brown ) )  is  true, 

mail (doe, root, 9373, bad (Is, bin) )  is  true, 

mail (doe, root , 93 7 5, bad (doefile, doe) )  is  true. 
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mail (dog, root , 9404, bad (bark, dog) )  is  true, 
mail(farmer,root, 1207, bad(password, farmer) )  is  true, 
mail (farmer, root, 1220, bad ( secrets, f armer ) )  is  true, 
mail (graham, root, 15 02, bad (import ant, graham) )  is  true, 
and  mail (root, root, 5205, bad(cd, bin) )  is  true 

Have  you  confused  "backup  tape  is  located"  with  "backup  tape  is  stored"? 

you  confused  that  with  the  locate  backup  tape  action? 

That  action  requires  that: 
backup  tape  must  be  located. 

************  These  facts  are  now  true:  ************* 
password  cracker  is  executed, 
backup  tape  is  stored, 

known ( insecure, pas sword, for, adams)  is  true, 

known (insecure, password, for, smith)  is  true, 

mail (brown, root, 103 3, bad (password, brown) )  is  true, 

mail (doe, root , 9373 ,bad(ls , bin) )  is  true, 

mail (doe,root , 9375,bad(doefile,doe) )  is  true, 

mail (dog, root , 9404, bad (bark, dog) )  is  true, 

mail (farmer, root , 1207 , bad (pas sword, farmer) )  is  true, 

mail (farmer, root, 1220, bad (secrets, farmer) )  is  true, 

maiKgraham, root,  15 02, bad (in^jort ant, graham) )  is  true, 

and  mail (root, root, 52 05, bad (cd, bin ) )  is  true. 

Select  zm  action:  locate  backup  tape 
You  chose  to  locate  backup  tape. 

OK. 

************  These  facts  are  now  true:  ************* 
password  cracker  is  executed, 
backup  tape  is  located, 

known ( insecure, password, for , adams )  is  true, 

known (insecure, pas sword, for, smith)  is  true, 

mail (brown, root , 1033 , bad (pas sword, brown) )  is  true, 

mail (doe, root , 9373 , bad (Is , bin) )  is  true, 

mail (doe, root, 9375, bad(doefile, doe) )  is  true, 

mail (dog, root, 9404, bad (bark, dog) )  is  true, 

mail (farmer, root, 1207, bad(password, farmer) )  is  true, 

mail (farmer, root, 1220, bad (secret 8, f armer ) )  is  true, 

mail  (graham, root,  15 02, bad ( impor t zmt, grediam)  )  is  true, 

and  mail(root,root, 5205, bad(cd, bin) )  is  true. 

Select  an  action:  load  backup  tape 
You  chose  to  load  backup  tape. 

OK. 

************  These  facts  are  now  true:  ************* 
password  cracker  is  executed, 
backup  tape  is  loaded, 
backup  tape  is  located, 

]cnown(  insecure,  pas  sword,  for,  adams)  is  true, 

known (insecure, pas sword, for, smith)  is  true, 

mail (brown, root , 1033 , bad (pas sword, brown ) )  is  true, 

maiKdoe, root, 9373, badds, bin)  )  is  true, 

mail (doe, root, 9375, bad (doefile, doe) )  is  true, 

mail (dog, root, 9404, bad (bark, dog) )  is  true, 

mail ( farmer, root, 12 07, bad (pas sword, farmer) )  is  true, 

mail (farmer, root, 12 20, bad (secret 8, f armer ) )  is  true, 

mail (graham, root, 15 02, bad (import ant, gr aheon) )  is  true, 

and  mail (root, root, 52 05, bad (cd, bin) )  is  true. 

Select  em  action:  find  file  passwd  on  backup  tape 
You  chose  to  find  file  passwd  on  baclcup  tape. 

OK. 

************  These  facts  are  now  true:  ************* 
password  cracker  is  executed, 
backup  tape  is  loaded. 
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backup  tape  is  located, 

known (insecure, pas sword, for, adams)  is  true, 

known (insecure, pas sword, for, smith)  is  true, 

mail (brown, root, 103 3, bad (pas sword, brown) )  is  true, 

mail (doe, root, 93 7 3, bad (Is, bin) )  is  true, 

mail (doe, root, 9375, bad(doefile, doe) )  is  true, 

mail (dog, root, 94 04, bad (bark, dog) )  is  true, 

mail (farmer, root , 1207 , bad (password, farmer) )  is  true, 

mail (farmer, root, 1220, bad (secret 8, f aimer ) )  is  true, 

mail (grediam, root,  1502, bad ( important, gr2diam) )  is  true, 

mail (root , root, 5205, bad(cd, bin) )  is  true, 

and  found(file,pas8wd, on, backup, tape)  is  true. 

Select  an  action:  restore  modified  file  passwd  from  backup 
You  chose  to  restore  modified  file  passwd  from  bacJcup. 

OK. 

************  These  facts  are  now  true:  ************* 

password  cracker  is  executed, 

backup  tape  is  loaded, 

bac)cup  tape  is  located, 

file  passwd  is  restored, 

)cnown(  insecure,  pas  sword,  for,  adams)  is  true, 

known (insecure, pas sword, for, smith)  is  true, 

mail (brown, root , 1033 , bad (pas sword, brown ) )  is  true, 

mail  (doe,  root,  9373, badds, bin)  )  is  true, 

mail (doe, root, 9375, bad(doefile, doe) )  is  true, 

mail (dog, root, 9 4 04, bad (bark, dog ) )  is  true, 

mail (farmer, root, 12 07, bad (pas 8 word, f armer ) )  is  true, 

mail (farmer, root , 1220, bad (secrets, farmer) )  is  true, 

mail  ( graham,  root  ,1502,  bad  ( important ,  graheun) )  is  true , 

mail (root, root , 52 05, bad (cd, bin) )  is  true, 

and  found(file, passwd, on, backup, tape)  is  true. 

Select  an  action:  change  password  for  adams 
You  chose  to  change  password  for  adams. 

I  am  thinking .... 

OK,  but  a  hint:  "change  permissions  file  passwd" 
is  more  important  now  than  "change  password  for  adams". 

************  These  facts  are  now  true:  ************* 

password  cracker  is  executed, 

bac}cup  tape  is  loaded, 

backup  tape  is  located, 

file  passwd  is  restored, 

changed (password, for, adams)  is  true, 

)cnown  (insecure ,  pas  sword,  for,  adams )  is  true, 

)uiown( insecure, password, for, smith)  is  true, 

mail (brown, root, 103 3, bad (pas sword, brown ) )  is  true, 

mail  (doe,  root ,  9373  , badds, bin)  )  is  true, 

mail (doe, root , 9375, bad (doefile, doe) )  is  true, 

mail (dog, root , 9404 , bad (bark, dog) )  is  true, 

mail ( farmer, root, 12 07, bad (pas sword, farmer) )  is  true, 

iBail (farmer, root, 1220, bad (secrets, farmer) )  is  true, 

mail  (graham,  root,  1502 ,  bad  (import  ant,  grah2un) )  is  true, 

mail (root, root , 52 05, bad (cd, bin) )  is  true, 

and  found (file,passwd, on, baclcup, tape)  is  true. 

Select  an.  action:  change  permissions  file  passwd 
I  am  thinking .... 

You  chose  to  chemge  permissions  file  passwd. 

>>>>Operator  change (permissions, file, passwd)  could  not  be  applied  to 

password  cracker  is  executed, 

backup  tape  is  loaded, 

bac)cup  tape  is  located, 

file  passwd  is  restored. 
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changed (password, for, adams )  is  true, 

known ( ins e cure, pas sword, for, adams)  is  true, 

known (insecure, pas 8 word, for, smith)  is  true, 

mail (brown, root, 103 3, bad (pas sword, brown ) )  is  true, 

maiKdoe, root, 9373, badds, bin)  )  is  true, 

niail  (doe,  root ,  9375 , bad (doefile,  doe) )  is  true, 

mail (dog, root , 94 04, bad (bark, dog) )  is  true, 

mail (farmer, root, 1207, bad (password, f armer ) )  is  true, 

mail (farmer, root, 12 20, bad (secret 8, farmer) )  is  true, 

mail  (graham,  root,  1502,  bad  (import  ant,  graham) )  is  true, 

mail{root,root,5205,bad(cd,bin) )  is  true, 

and  found (file,pa8swd, on, backup, tape)  is  true 

>>»0perator  change (permissions, file, pass wd)  could  not  be  applied  to: 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  passwd  is  restored, 

changed  (password,  for,  ad6aiis)  is  true, 

)cnown(insecure,pa8sword, for, adams)  is  true, 
known (insecure, password, for, smith)  is  true, 
mail (brown, root, 1033, bad (password, brown) )  is  true, 
maiKdoe, root, 9373, badds, bin)  )  is  true, 
mail (doe, root , 937 5, bad (doefile, doe) )  is  true, 
mail (dog, root , 9404, bad{bark, dog) )  is  true, 
zaail(farmer,root, 12 07, bad (pas sword, farmer) )  is  true, 
maiKfarmer, root, 1220, bad(secrets, farmer)  )  is  true, 
mail (graham, root, 1502 , bad (import ant, graham) )  is  true, 

(root, root, 5205, bad (cd, bin) )  is  true, 
and  found(file, passwd, on, backup, tape)  is  true 

Have  you  confused  that  with  the  check  permissions  file  passwd  action? 

That  action  requires  that: 

checked (permissions, file, passwd)  is  true. 

************  These  facts  are  now  true:  ************* 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  passwd  is  restored, 

changed (password, for, adams)  is  true, 

known  (insecure,  pas  sword,  for,  adeims)  is  true, 

known (insecure, pas sword, for, smith)  is  true, 

mail (brown, root, 103 3, bad (pas sword, brown ) )  is  true, 

maiKdoe, root, 9373, badds, bin)  )  is  true, 

maiKdoe, root, 9375, bad(doefile, doe)  )  is  true, 

mail (dog, root, 9404, bad (bark, dog) )  is  true, 

maiKfarmer,root, 1207, bad(pa8sword, farmer)  )  is  true, 

maiKfarmer,root,1220,bad(secret8, farmer) )  is  true, 

maiK graham, root, 1502 , bad (important, graham) )  is  true, 

maiKroot,root,  5205,bad(cd,bin) )  is  true, 

and  found (file,passwd, on, baclcup, tape)  is  true. 

Select  em  action:  check  permissions  file  passwd 
You  chose  to  check  permissions  file  passwd. 

OK. 

************  These  facts  are  now  true:  ************* 

password  cracker  is  executed, 

bac)cup  tape  is  loaded, 

backup  tape  is  located, 

file  passwd  is  restored, 

chemged (password, for, adams)  is  true, 

checked (permissions , file, passwd)  is  true, 

known  (insecure,  pas  sword,  for,  adzuns )  is  true, 

)cnown( insecure, password,  for,  smith)  is  true. 
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mail (brown, root, 103 3, bad (password, brown) )  is  true, 

mail (doe, root, 9373, bad(ls, bin) )  is  true, 

mail (doe, root , 9375, bad (doefile, doe) )  is  true, 

mail (dog, root, 9 4 04, bad (bark, dog ) )  Is  true, 

mail (farmer, root, 12 07, bad (pas s word, f armer ) )  is  true, 

mail (farmer, root, 1220, bad (secrets, farmer) )  is  true, 

mail  (graham, root,  15 02, bad ( import «uit, grabam) )  is  true, 

mail ( root , root ,5205, bad ( cd, bin) )  is  true , 

and  found(f ile, pas swd, on, backup, tape)  is  true. 

Select  an  action:  change  permissions  file  passwd 
You  chose  to  change  permissions  file  passwd. 

OK. 

************  These  facts  are  now  true:  ************* 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  passwd  is  restored, 

changed (password, for, adams)  is  true, 

changed (permissions, file, pas swd)  is  true, 

checked (permissions, file, passwd)  is  true, 

known (insecure, pas sword, for, adams)  is  true, 

known (insecure,password, for, smith)  is  true, 

mail (brown, root, 1033, bad (password, brown) )  is  true, 

mail (doe, root, 9373, bad (Is, bin) )  is  true, 

mail (doe, root , 93 7 5, bad (doefile, doe) )  is  true, 

mail (dog, root, 9404, bad(bark, dog) )  is  true, 

mail (farmer, root, 12 07, bad (password, farmer ) )  is  true, 

mail (farmer, root, 1220, bad (secrets, farmer) )  is  true, 

mail  (graham,  root ,  1502 ,  bad  (import  ant,  graheua)  )  is  true, 

mail ( root , root ,5205, bad ( cd, bin) )  is  true , 

and  found(f ile, pas swd, on, backup, tape)  is  true. 

Select  an  action:  change  password  for  smith 
You  chose  to  change  password  for  smith. 

I  am  thinking .... 

OK,  but  a  hint:  ^change  root  password'' 
is  more  important  now  than  "change  password  for  smith". 
************  These  facts  are  now  true:  *******^***** 
password  cracker  is  executed, 
backup  tape  is  loaded, 
backup  tape  is  located, 
file  passwd  is  restored, 
changed (password, for, adams)  is  true, 
cheinged (password,  for,  smith)  is  true, 
changed (permissions, file, passwd)  is  true, 
checked (permissions, file, passwd)  is  true, 
known (insecure, pas sword, for, adams)  is  true, 
known(in8ecure,password, for, smith)  is  true, 
mail (brown, root, 103 3, bad (password, brown) )  is  true, 
maiKdoe, root,  9373, bad(ls, bin)  )  is  true, 
mail (doe, root, 9375, bad(doef ile, doe) )  is  true, 
mail (dog, root, 94 04, bad (bark, dog) )  is  true, 
mail (farmer, root , 1207 , bad (password, farmer) )  is  true, 
mail (farmer, root , 12 20, bad (secret 8, farmer) )  is  true, 
mail ( graham, root ,1502, bad ( inportant , graham) )  is  true , 
mail (root , root, 52 05, bad (cd, bin) )  is  true, 
and  found(f ile,pa88wd,on,bac]cup, tape)  is  true. 

Select  an  action:  change  root  password 
You  chose  to  cheinge  root  password. 

OK. 

************  These  facts  are  now  true:  ************* 
password  root  is  changed. 
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password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  passwd  is  restored, 

changed (password, for, adams)  is  true, 

changed (password, for, smith)  is  true, 

changed (permissions , file, passwd)  is  true, 

checked (permissions , file , passwd)  is  true, 

known (insecure,pa88word, for, adams)  is  true, 

known (in8ecure,password, for, smith)  is  true, 

ni3.il  (brown,  root ,  1033 , bad  (password, brown) )  is  true, 

maiKdoe, root, 9373, bad(ls, bin)  )  is  true, 

mail(doe,root, 9375, bad(doefile, doe) )  is  true, 

maiKdog, root, 9404, bad(bark, dog) )  is  true, 

ni3il ( farmer , root ,  1207 /bad (password, faanner)  )  is  true, 

mail (farmer, root, 1220, bad ( secrets, farmer) )  is  true, 

mail (graham, root, 15 02, bad (import ant, graham) )  is  true, 

maiKroot, root, 5205, bad(cd, bin))  is  true, 

and  found(file, passwd, on, backup, tape)  is  true. 

Select  an  action:  audit file 


AUDIT  FILE 

The  following  displays  the  current  contents  of  the  audit  file: 


Name 

Time 

Path 

Command 

Result 

adcuns 

10 

none 

login  adams 

ok 

adams 

20 

adams 

Is 

ok 

adams 

30 

adams 

cd  diradams 

ok 

adams 

30 

none 

login  adams 

ok 

adams 

35 

diradeuns 

Is 

ok 

adams 

40 

diradams 

emacs  auxa 

1014 

adams 

50 

diradams 

rm  auxa 

ok 

adams 

60 

diradams 

emacs  auxb 

1212 

adams 

70 

diradeoas 

rm  auxb 

ok 

adams 

60 

diradams 

emacs  aoixc 

1346 

adams 

90 

diradeuns 

rm  auxc 

ok 

ad2uiis 

100 

diradams 

cd 

ok 

adams 

110 

adeuns 

rmdir  diradeuas 

ok 

adams 

120 

adams 

logout 

ok 

brown 

130 

none 

login  brown 

fail 

brown 

132 

none 

login  brown 

fail 

brown 

134 

none 

login  brown 

fail 

brown 

136 

none 

login  brown 

ok 

brown 

138 

brown 

yppasswd 

ok 

brown 

140 

brown 

logout 

ok 

brown 

1030 

none 

login  brown 

fail 

brown 

1031 

none 

login  brown 

fail 

brown 

1032 

none 

login  brown 

fail 

brown 

1033 

none 

mail  root 

bad (password, brown) 

coleman 

160 

none 

login  coleman 

fail 

Coleman 

170 

none 

login  coleman 

fail 

coleman 

180 

none 

login  coleman 

fail 

da  vis 

190 

none 

login  davis 

ok 

davis 

200 

davis 

emacs  goodnews 

2372 

70 


davis 

410 

davis 

logout 

ole 

doe 

8982 

none 

login  doe 

ok 

doe 

9315 

doe 

emacs  bigpaper 

29947 

doe 

9335 

doe 

emacs  csproject 

1024 

doe 

9352 

doe 

Is 

ok 

doe 

9360 

doe 

emacs  csproject 

4096 

doe 

9373 

doe 

mail  root 

bad (Is, bin) 

doe 

9375 

doe 

mail  root 

bad (doef ile , doe ) 

doe 

9379 

doe 

logout 

ok 

dog 

9400 

none 

login  dog 

ok 

dog 

9403 

dog 

Is 

ok 

dog 

9404 

dog 

mail  root 

bad (bark, dog) 

dog 

9405 

dog 

logout 

ok 

evens 

420 

none 

login  evans 

ok 

eveins 

430 

evans 

Is 

ok 

evens 

440 

evans 

cd  csclass 

ok 

evens 

450 

csclass 

Is 

ok 

evens 

460 

csclass 

emacs  proj_one 

140292 

evens 

880 

csclass 

logout 

ok 

farmer 

1203 

none 

login  farmer 

fail 

farmer 

1204 

none 

login  farmer 

fail 

farmer 

1205 

none 

login  farmer 

fail 

farmer 

1206 

none 

login  farmer 

fail 

farmer 

1207 

farmer 

mail  root 

bad (password, farmer) 

farmer 

1220 

farmer 

mail  root 

bad (secrets, farmer) 

graham 

1500 

none 

login  graham 

ok 

grzdiam 

1501 

graham 

Is 

ok 

graham 

1502 

graheon 

mail  root 

bad  ( inportant ,  graham) 

jones 

910 

jones 

su 

fail 

jones 

910 

none 

login  jones 

ok 

jones 

911 

jones 

su 

fail 

jones 

912 

jones 

su 

fail 

jones 

920 

jones 

su 

ok 

jones 

921 

root 

cd  -farmer 

ok 

jones 

922 

farmer 

Is 

ok 

jones 

923 

farmer 

rm  secrets 

ok 

jones 

924 

farmer 

yppasswd 

ok 

jones 

925 

farmer 

cd  -grediam 

ok 

jones 

926 

gredieon 

Is 

ok 

jones 

927 

grahcim 

emacs  important 

11272 

root 

315 

none 

login  root 

fail 

root 

324 

none 

login  root 

ok 

root 

329 

root 

cd  bin 

ok 

root 

589 

bin 

emacs  Is 

3024 

root 

1119 

bin 

emacs  cd 

4979 

root 

1211 

root 

mail 

ok 

root 

1394 

root 

cd  -dog 

ok 

root 

1395 

dog 

rm  * 

ok 

root 

1396 

dog 

cd 

ok 

root 

1400 

root 

login  root 

ok 

root 

1421 

root 

logout 

ok 

root 

1503 

root 

mail 

ok 

root 

4474 

none 

login  root 

fail 

root 

4475 

none 

login  root 

fail 

root 

4476 

none 

login  root 

fail 

root 

4493 

none 

login  root 

ok 

root 

4499 

root 

cd  etc 

ok 

root 

5087 

etc 

emacs  passwd 

1017 

root 

5088 

etc 

cd 

ok 

root 

5089 

root 

cd  bin 

ok 

root 

5205 

bin 

mail  root 

bad (cd, bin) 
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root 

5208 

bin 

logout 

ok 

smith 

859 

none 

login  smith 

ok 

smith 

900 

smith 

cd  etc 

ok 

smith 

901 

etc 

cp  passwd  ^smith 

ok 

smith 

902 

etc 

logout 

ok 

tom 

2713 

none 

login  tom 

ok 

tom 

2732 

tom 

cd  ba 

ok 

tom 

2749 

ba 

cp  aa  guest /aa 

ok 

tom 

2754 

ba 

logout 

ok 

tom 

6351 

none 

login  tom 

ok 

tom 

6355 

tom 

cd  ba 

ok 

tom 

6421 

ba 

emacs  ab 

12345 

tom 

6428 

ba 

logout 

ok 

uri 

2119 

none 

login  uri 

ok 

uri 

2127 

uri 

cd  ba 

ok 

uri 

2216 

ba 

rm  * 

ok 

uri 

2218 

ba 

logout 

ok 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  passwd  is  restored, 

changed (password, for, adams)  is  true, 

changed (password, for, smith)  is  true, 

changed (permissions, file, passwd)  is  true, 

checked(permissions, file, passwd)  is  true, 

known ( insecure, pa 8 8 word, for, adams)  is  true, 

known (insecure, password, for, smith)  is  true, 

mail(brown,root, 1033, bad(password, brown) )  is  true, 

/ root , 9373 , bad (Is , bin) )  is  true, 
mail (doe, root, 9375, bad(doefile, doe) )  is  true, 
mail (dog, root, 9 4 04, bad (bark, dog ) )  is  true, 
mail (farmer, root, 12 07, bad (pas sword, farmer) )  is  true, 
mail (farmer, root, 1220, bad (secrets, farmer) )  is  true, 
mail(graham,root, 15 02, bad ( inpor tant, graham) )  is  true, 
maiKroot, root, 5205, bad(cd, bin)  )  is  true, 
and  found(file, passwd, on, backup, tape)  is  true. 

Select  an  action:  mail 


***************«****««««««^^^^^^^ 


MAIL  RECEIVED 

The  following  displays  mail  received  by  root: 


From 

To 

Time 

brown 

root 

1033 

doe 

root 

9373 

doe 

root 

9375 

dog 

root 

9404 

farmer 

root 

1207 

farmer 

root 

1220 

graham 

root 

1502 

root 

root 

5205 

Problem (File, Directory) 

bad (pas  sword , brown ) 
bad ( Is , bin) 
bad ( doef ile , doe ) 
bad (bark, dog) 
bad (password, farmer) 
bad (secrets, farmer) 
bad  ( iirportant ,  graheun) 
bad (cd, bin) 


72 


************  These  facts  are  now  true:  ************* 

password  root  is  changed/ 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  passwd  is  restored, 

changed (password, for, adams)  is  true, 

ch2mged (pas sword, for, smith)  is  true, 

changed (permissions, file, passwd)  is  true, 

checked (permissions, file, passwd)  is  true, 

)cnown  ( ins  e  cure,  pas  sword,  for,  adamis)  is  true, 

known (insecure, pas sword, for, smith)  is  true, 

mail (brown, root, 103 3, bad (pas sword, brown) )  is  true, 

mail (doe, root, 9373, bad (Is, bin) )  is  true, 

mail (doe, root, 9375, bad (doefile, doe) )  is  true, 

mail (dog, root, 9404, bad (bark, dog) )  is  true, 

mail (farmer, root, 12 07, bad (pas sword, f armer ) )  is  true, 

mail ( farmer, root, 1220, bad (secrets, farmer) )  is  true, 

mail (grediam, root,  15 02, bad ( important, griiham) )  is  true, 

mail (root, root, 52 05, bad (cd, bin) )  is  true, 

and  found(file, passwd, on, backup, tape)  is  true. 

Select  an  action:  confront  user  jones 
You  chose  to  confront  user  jones. 

OK,  but  a  hint:  ^compare  file  cd  for  Trojan  Horse  with  cd  on  backup  tape" 
is  more  important  now  than  "confront  user  jones". 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  jones  is  confronted, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  passwd  is  restored, 

changed (pas sword, for, adams)  is  true, 

changed (password, for, smith)  is  true, 

changed (permissions , file, passwd)  is  true, 

checked (permissions, file, passwd)  is  true, 

known (insecure, password, for, adams)  is  true, 

)aiown( insecure, password, for, smith)  is  true, 

nia^il  (brown,  root ,  1033 , bad  (password, brown)  )  is  true, 

mail (doe, root , 9373 , bad (Is, bin) )  is  true, 

mail (doe, root, 9375,bad(doefile,doe) )  is  true, 

mail (dog, root , 9404, bad (bark, dog) )  is  true, 

mail ( farmer, root, 12 07, bad (pas sword, farmer) )  is  true, 

mail (farmer, root, 12 20, bad (secret s, farmer) )  is  true, 

mail (graham, root, 15 02, bad (inport ant, gr aham ) )  is  true, 

mail (root, root, 52 05, bad (cd, bin) )  is  true, 

and  found (file,pa88wd, on, backup, tape)  is  true. 

Select  an  action:  find  file  cd  on  backup  tape 
You  chose  to  find  file  cd  on  backup  tape. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  jones  is  confronted, 

password  cracker  is  executed, 

bac)cup  tape  is  loaded, 

bac)cup  tape  is  located, 

file  passwd  is  restored, 

changed (password, for , adams )  is  true, 

changed (password, for, smith)  is  true, 

changed (permissions, file, passwd)  is  true, 

checked (permissions, file, passwd)  is  true. 
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known ( ins e cure, pas sword, for, adams)  is  true, 

known (insecure, pas sword, for, smith)  is  true, 

mail (brown, root, 1033, bad (pas sword, brown) )  is  true, 

mail(doe,root, 9373, bad(ls, bin) )  is  true, 

mail(doe,root,9375,bad(doefile,doo) )  is  true, 

mail (dog, root, 9 4 04, bad (bark, dog) )  is  true, 

mail (farmer, root, 1207 , bad (password, farmer ) )  is  true, 

mail(farmer,root, 1220, bad(secrets, farmer) )  is  true, 

mail (grah2un, root, 15 02, bad (import ant, graham) )  is  true, 

mail(root,root, 5205, bad(cd, bin) )  is  true, 

found(f ile, cd, on, backup, tape)  is  true, 

and  found( file, pas swd, on, backup, tape)  is  true. 

Select  an  action:  conpare  file  cd  for  Trojan  Horse  with  cd  on  backup  tape 
You  chose  to  conpare  file  cd  for  Trojeoi  Horse  with  cd  on  backup  tape. 

OK. 

************  These  facts  are  now  true;  ************* 

password  root  is  chcuaged, 

user  jones  is  confronted, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  passwd  is  restored, 

changed (password, for, adams)  is  true, 

changed (password, for, smith)  is  true, 

changed (permissions, file, pas swd)  is  true, 

checked (permissions, file, passwd)  is  true, 

known  (insecure,  password,  for,  adeons)  is  true, 

known(insecure,pas8word, for, smith)  is  true, 

mail (brown, root , 1033 , bad (pas sword, brown) )  is  true, 

mail (doe, root, 9373, bad (Is, bin) )  is  true, 

(doe, root ,  9375 , bad (doef  ile, doe)  )  is  true, 
mail(dog,root, 9404, bad (bark, dog) )  is  true, 
mail (farmer, root, 1207 , bad (password, farmer) )  is  true, 
mail (farmer, root, 1220, bad (secrets, farmer) )  is  true, 
mail ( graham, root ,1502, bad ( important , graham) )  is  true , 
mail (root , root , 52 05 , bad ( cd, bin) )  is  true, 
foimd(f ile, cd, on, backup, tape)  is  true, 
found (file, pas swd, on, backup, tape)  is  true, 

and  conpared(file,cd, for, Trojan  Hor se, with, cd, on, backup, tape )  is  true. 
Select  an  action:  find  file  Is  on  baclcup  tape 
You  chose  to  find  file  Is  on  backup  tape. 

OK, 

************  These  facts  are  now  true:  ************* 

password  root  is  chemged, 

user  jones  is  confronted, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  passwd  is  restored, 

changed (password, for, adams)  is  true, 

changed (password, for, smith)  is  true, 

changed (permissions , file, pas swd)  is  true, 

checked (permissions, file, pas swd)  is  true, 

known  ( ins  e  cure,  pas  sword,  for,  adauns)  is  true, 

known (insecure, pas sword, for, smith)  is  true, 

mail(brovm,root, 103 3, bad (pas sword, brown) )  is  true, 

maiKdoe, root, 9373, badds, bin)  )  is  true, 

mail (doe, root , 9375 , bad (doe file, doe) )  is  true, 

mail (dog, root, 94 04, bad (bark, dog) )  is  true, 

mail (farmer , root , 12 07, bad (password, farmer) )  is  true, 

mail(farmer,root, 1220, bad(secrets, farmer) )  is  true. 
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mail  (graham,  root,  15  02,  bad  (import  ^uat,grah.^un) )  is  true, 

mail (root, root, 52 05, bad (cd, bin) )  is  true, 

found ( file, cd, on, backup, tape)  is  true, 

fo\ind( file.  Is, on, backup, tape)  is  true, 

found ( file, passwd, on, backup, tape)  is  true, 

and  compared ( f  ile,  cd,  for, Trojan  Hor8e,with,cd,on,bac)cup,  tape)  is  true. 
Select  an  action:  compare  file  Is  for  Trojan  Horse  with  Is  on  backup  tape 
You  chose  to  compare  file  Is  for  Trojan  Horse  with  Is  on  backup  tape. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  jones  is  confronted, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  passwd  is  restored, 

changed (password, for, adams)  is  true, 

changed (password, for, smith)  is  true, 

changed (permissions, file, passwd)  is  true, 

checked (permissions, file, passwd)  is  true, 

known (insecure, pas sword, for, adams)  is  true, 

)cnown(insecure,pa8sword, for, smith)  is  true, 

mail (brown, root , 1033 , bad (password, brown) )  is  true, 

mail (doe, root, 9373, bad(ls , bin) )  is  true, 

mail (doe, root, 9375, bad (doef ile, doe) }  is  true, 

mail (dog, root, 9404, bad (bark, dog) )  is  true, 

mail (farmer, root, 12 07, bad (pas 8 word, farmer) )  is  true, 

mail (farmer, root, 1220, bad (secrets, farmer) )  is  true, 

mail (grzLham, root,  1502, bad (is^ortant, grahaun) )  is  true, 

mail (root, root, 52 05, bad (cd, bin ) )  is  true, 

found(f ile, cd, on, backup, tape)  is  true, 

found (file, Is, on, backup, tape)  is  true, 

found(f ile, passwd, on, backup, tape)  is  true, 

con5)ared(file,cd, for, Trojan  Horse,with,cd, on, backup, tape)  is  true, 
and  coit5>ared(f ile, Is, for, Troj2m  Horse, with.  Is , on, backup,  tape)  is  true. 
Select  an  action:  remove  Trojan  Horse  from  Is 
You  chose  to  remove  Trojan  Horse  from  Is. 

>>>>Operator  remove (Trojan, Horse, from, Is )  could  not  be  applied  to: 

password  root  is  changed, 

user  jones  is  confronted, 

password  cracker  is  executed, 

bac)a2p  tape  is  loaded, 

backup  tape  is  located, 

file  passwd  is  restored, 

changed  (password,  for,  adauns)  is  true, 

chem.ged (password, for, smith)  is  true, 

chemged( permissions, file, passwd)  is  true, 

checked (permissions, file, passwd)  is  true, 

known (insecure, pas sword, for, adams)  is  true, 

known(insecure,pa8sword, for, smith)  is  true, 

mail (brown, root, 1033, bad (password, brown) )  is  true, 

mail (doe, root, 9373 , bad (Is, bin) )  is  true, 

mail (doe, root, 9375, bad (doef ile, doe) )  is  true, 

mail (dog, root, 94 04, bad (bark, dog) )  is  true, 

mail (farmer, root, 1207, bad (password, farmer) )  is  true, 

mail (farmer, root, 1220, bad (secrets, farmer) )  is  true, 

mail (graham, root, 15 02, bad { impor tant, graham) )  is  true, 

mail (root, root, 52 05, bad (cd, bin) )  is  true, 

f o\ind (f ile, cd, on, backup, tape)  is  true, 

found (file, Is, on, backup, tape)  is  true, 

found(f ile, passwd, on, backup, tape)  is  true. 
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compared(filo,cd, for, Trojan  Horse, with, cd, on, backup, tape )  is  true, 

and  con^ared(file, Is , for , Trojan  Horse, with, Is, on, backup, tape)  is  true 

»»Operator  remove  (Trojan, Horse,  from.  Is)  could  not  be  applied  toj 

password  root  is  changed, 

user  jones  is  confronted, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  passwd  is  restored, 

changed (password, for, adams)  is  true, 

changed (password, for, smith)  is  true, 

changed (permissions , file, passwd)  is  true, 

checked (permissions, file, passwd)  is  true, 

known (insecure, pas 8 word, for, adams)  is  true, 

known (insecure, password, for, smith)  is  true, 

mail (brown, root, 1033, bad (password, brown) )  is  true, 

maiKdoe, root, 9373, badds, bin)  )  is  true, 

maiKdoe, root, 9375, bad(doefile, doe) )  is  true, 

mail(dog,root, 9404, bad(bark, dog) )  is  true, 

( farmer , root , 12 07 , bad (password, farmer ) )  is  true, 
mail(farmer,root,1220,bad(8ecrets, farmer) )  is  true, 
mail (graham, root, 15 02, bad (import ant, greOiam) )  is  true, 
mail (root, root, 5205, bad(cd, bin) )  is  true, 
found(file, cd, on, backup, tape)  is  true, 
found(file, Is, on, backup, tape)  is  true, 
foTind(file, passwd, on, backup, tape)  is  true, 

coir53ared(file,cd,for,Trojan  Horse , with, cd, on, backup, tape )  is  true, 
and  coir®>ared(file, Is,  for, Trojan  Horse, with.  Is , on, backup,  tape)  is  true 
Have  you  confused  -file  Is  are  restored"  with  -file  passwd  is  restored"? 
That  action  requires  that: 
file  Is  must  be  restored. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  jones  is  confronted, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  passwd  is  restored, 

changed (password, for, adams)  is  true, 

changed (password, for, smith)  is  true, 

changed (permissions, file, passwd)  is  true, 

checked (permissions, file, passwd)  is  true, 

known (insecure, pa 88 word, for, adams)  is  true, 

known(in8ecure,pa8sword, for, smith)  is  true, 

mail (brown, root , 1033 , bad (pas sword, brown) )  is  true, 

maiKdoe, root, 9373, badds, bin)  )  is  true, 

mail (doe, root, 9375, bad(doefile, doe) )  is  true, 

maiKdog, root, 9404, bad(bark, dog) )  is  true, 

mail ( farmer , root , 12 07 , bad (password, farmer ) )  is  true, 

mail (farmer, root, 1220, bad ( secrets, farmer) )  is  true, 

mail (graham, root, 15 02, bad ( important, gradiam) )  is  true, 

mail (root, root, 5205, bad(cd, bin) )  is  true, 

fo\md(file,cd, on, backup, tape)  is  true, 

found(file, Is, on, backup, tape)  is  true, 

found(file, passwd, on, backup, tape)  is  true, 

compared(file,cd, for, Trojan  Hor8e,with, cd, on, backup, tape)  is  true, 
and  compared(file, Is, for, Trojan  Horse, with, Is, on, backup, tape)  is  true. 
Select  an  action:  restore  modified  file  Is  from  backup 
You  chose  to  restore  modified  file  Is  from  backup. 

I  am  thinking .... 

OK,  but  a  hint:  "restore  user  password  for  brown" 
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is  more  important  now  than  "restore  modified  file  Is  from  backup". 
************  These  facts  are  now  true:  ************* 
password  root  is  ch2Lnged, 
user  jones  is  confronted, 
password  cracker  is  executed, 
backup  tape  is  loaded, 
bac3cup  tape  is  located, 
file  Is  are  restored, 
file  passwd  is  restored, 
changed (pas sword, for, adams)  is  true, 
ch2Lngod(pa8sword,  for,  smith)  is  true, 
changed  (permissions,  file,  passwd)  is  true, 
checked (permissions, file, passwd)  is  true, 
known (insecure, password, for, adams)  is  true, 

3cnown(insecure,pa8sword, for, smith)  is  true, 

mail (brown, root, 10 3 3, bad (pas 8 word, brown ) )  is  true, 

mail (doe, root , 9373 , bad (Is , bin) )  is  true, 

mail(doe,root, 9375, bad(doefile, doe) )  is  true, 

mail (dog, root , 9404, bad (bark, dog) )  is  true, 

mail (farmer, root, 1207 , bad (pas sword, farmer) )  is  true, 

mail (farmer, root, 1220, bad ( secrets, farmer) )  is  true, 

mail  (graham, root,  1502 , bad (inportemt, graham) )  is  true, 

mail (root, root, 52 05, bad (cd, bin) )  is  true, 

found (file, cd, on, backup, tape)  is  true, 

found(file, Is, on, backup, tape)  is  true, 

found(file, passwd, on, backup, tape)  is  true, 

compared(file,cd, for, Trojan  Horse,with,cd, on, backup, tape)  is  true, 
and  con^ared(file, Is, for, Trojan  Horse, with, Is, on, backup, tape)  is  true. 
Select  an  action:  remove  Troj^m  Horse  from  Is 
You  chose  to  remove  Trojan  Horse  from  Is. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  chamged, 

user  jones  is  confronted, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  Is  are  restored, 

file  passwd  is  restored, 

changed (password, for, adams )  is  true, 

chzinged  (password,  for,  smith)  is  true, 

changed (permissions, file, passwd)  is  true, 

checked (permissions, file, passwd)  is  true, 

known (insecure,pa88Word, for, adams)  is  true, 

known (insecure, password, for, smith)  is  true, 

mail (brown, root , 1033 , bad (password, brown) )  is  true, 

mail (doe, root ,9373 , bad (Is , bin) )  is  true, 

mail (doe, root , 9375 , bad (doefile, doe ) )  is  true, 

mail (dog, root , 9404, bad (bark, dog) )  is  true, 

mail (farmer, root, 12 07, bad (password, farmer) )  is  true, 

maiKfarmer, root, 1220, bad(8ecret8, farmer) )  is  true, 

mail (graham, root, 15 02, bad (import ant, graham) )  is  true, 

mail (root, root, 52 05, bad (cd, bin) )  is  true, 

removed (Trojan, Horse, from, Is)  is  true, 

found(file,cd, on, backup, tape)  is  true, 

fo\md( file, Is, on, backup, tape)  is  true, 

found(file, passwd, on, backup, tape)  is  true, 

compared (file,cd, for, Trojan  Horse,with,cd,on,bac)cup, tape)  is  true, 
and  compared(file, Is, for, Trojan  Hor8e,with,l8,on,bac)cup, tape)  is  true. 
Select  an  action:  restore  user  password  brown 
You  chose  to  restore  user  password  brown. 
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Not  a  valid  action. 

************  These  facts  are  now  true:  ** 
password  root  is  changed, 
user  jones  is  confronted, 
password  cracker  is  executed, 
backup  tape  is  loaded, 
backup  tape  is  located, 
file  Is  are  restored, 
file  passwd  is  restored, 
changed (password, for, adams)  is  true, 
changed (password, for, smith)  is  true, 
changed (permissions, file, passwd)  is  true, 
checked (permissions, file, passwd)  is  true, 
known ( insecure, pas sword, for, adams )  is  true, 
known (insecure, password, for, smith)  is  true, 
mail (brown, root, 103 3, bad (password, brown) )  is  true, 
mail(doe,root,  9373, badds, bin) )  is  true, 
mail (doe, root , 9375 ,bad(doefile, doe) )  is  true, 
maiKdog, root, 9404, bad(bark, dog)  )  is  true, 
mail(farmer,root,1207,bad(pas8word,farmer) )  is  true, 
mail ( farmer, root, 122 0, bad (secrets, farmer) )  is  true, 
mail (greiham, root,  15 02, bad (in^ort ant, graham)  )  is  true, 

(root , root , 5205,bad(cd,bin) )  is  true, 
removed (Trojein, Horse, from, Is)  is  true, 
found (file, cd, on, backup, tape)  is  true, 
found(file, Is, on, backup, tape)  is  true, 
fo\ind( file, passwd, on, backup, tape)  is  true, 

compared(file,cd, for, Trojan  Horse, with, cd, on, backup, tape)  is  true, 
and  coiripared(f  ile, Is,  for, Troj2m  Horse, with.  Is , on, backup,  tape)  is  true. 
Select  an  action:  restore  user  password  for  brown 
You  chose  to  restore  user  password  for  brown. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  jones  is  confronted, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  Is  are  restored, 

file  passwd  is  restored, 

chcinged (password,  for,  adams)  is  true, 

changed (password, for, smith)  is  true, 

changed (permissions, file, passwd)  is  true, 

Che eked (permissions, file, passwd)  is  true, 

restored (password, for, brown)  is  true, 

known (insecure, pas sword, for, adams)  is  true, 

known (insecure, pa 8 sword, for, smith)  is  true, 

mail (brown, root , 1033 , bad (password, brown) )  is  true, 

maiKdoe, root, 9373, badds, bin)  )  is  true, 

mail (doe , root , 9375 , bad (doefile , doe ) )  is  true, 

mail(dog,root, 9404, bad(bark, dog) )  is  true, 

mail (farmer, root, 12 07, bad (pas sword, farmer) )  is  true, 

mail ( farmer, root, 122 0, bad (secrets, farmer) )  is  true, 

mail  (graham, root,  15 02, bad (in^sort ant, graham)  )  is  true, 

mail (root, root, 52 05, bad (cd, bin) )  is  true, 

removed(Trojan,Horse,from,ls)  is  true, 

found (file, cd, on, backup, tape)  is  true, 

found(file, Is, on, backup, tape)  is  true, 

fo\ind(f ile, passwd, on, bac)aip, tape)  is  true, 

compared ( file, cd, for, Trojan  Horse,with, cd, on, backup, tape)  is  true, 
and  coii5)ared(file.  Is,  for, Trojan  Horse, with.  Is , on, backup,  tape)  is  true. 
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Select  an  action:  restore  user  password  for  root 
You  chose  to  restore  user  password  for  root. 

1  axn  thinking .... 

Bave  you  confused  that  with  the  restore  user  password  for  fanner  action? 
Your  action  is  not  what  1  would  choose,  but  let  us  try  it. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  jones  Is  confronted, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  Is  are  restored, 

file  passwd  is  restored, 

changed (password, for, adams)  is  true, 

changed (password, for, smith)  is  true, 

changed (permissions, file, passwd)  is  true, 

checked (permissions, file, passwd)  is  true, 

restored (password, for, brown)  is  true, 

restored (password, for, root )  is  true, 

known (insecure,password, for, adams)  is  true, 

known (insecure, pas sword, for, smith)  is  true, 

mail (brown, root, 103 3, bad (password,brown) )  is  true, 

mail (doe, root, 9373, bad (Is, bin) )  is  true, 

mail (doe, root , 9375,bad (doefile, doe) )  is  true, 

mail (dog, root, 9404, bad (bark, dog) )  is  true, 

mail (farmer, root, 12 07, bad (pas sword, f armer ) )  is  true, 

mail (farmer, root, 1220, bad ( secrets, farmer) )  is  true, 

mail (graham, root, 1502, bad (in^ortant, graham) )  is  true, 

mail (root , root , 52 05, bad (cd, bin) )  is  true, 

removed (Trojan, Horse, from, Is )  is  true, 

found(file,cd, on, backup, tape)  is  true, 

fotmd( file, Is, on, backup, tape)  is  true, 

found (file,passwd, on, backup, tape)  is  true, 

coii^ared(f ile, cd, for, Trojan  Horse,with, cd, on, backup, tape)  is  true, 
and  compared(file, Is, for, Trojan  Hor se, with, Is , on, backup, tape)  is  true. 
Select  an  action:  restore  user  password  for  farmer 
You  chose  to  restore  user  password  for  farmer. 

OK. 


************  These  facts  are  now  true:  •***********< 

password  root  is  changed, 

user  jones  is  confronted, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  Is  are  restored, 

file  passwd  is  restored, 

changed  (pas sword,  for,  ad2ans )  is  true, 

changed (password, for, smith)  is  true, 

chamged(penni8  8ion8,  file,  passwd)  is  true, 

checked (permissions, file, passwd)  is  true, 

restored (password, for, brown)  is  true, 

restored (password, for, farmer)  is  true, 

restored (password, for, root )  is  true, 

)cnown(  insecure,  pas  sword,  for,  adams)  is  true, 

known  (insecure,  pas  8  word,  for,  smith)  is  true, 

mail (brown, root , 1033 , bad (pas sword, brown) )  is  true, 

mail(doe,root, 9373, bad(ls, bin) )  is  true, 

mail (doe, root , 9375, bad(doefile, doe) }  is  true, 

mail (dog, root , 9404, bad (bark, dog) )  is  true, 

mail (farmer, root, 12 07, bad (pa 88 word, f armer ) )  is  true, 

mail (farmer, root, 1220, bad ( secrets, f armer ) )  is  true. 
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mail (graham, root , 1502 , bad ( importemt / graham) )  is  true, 

mail(root,root,  5205,bad(cd,biii)  )  is  true, 

removed (Trojan, Horse, from, Is)  is  true, 

found ( file, cd, on, backup, tape)  is  true, 

found (file, Is, on, backup, tape)  is  true, 

found (file,passwd, on, backup, tape)  is  true, 

compared(file, cd, for, Trojan  Hor8e,with, cd, on, backup, tape)  is  true, 
and  coir^ared(file.  Is,  for, Trojan  Horse, with, Is  , on, backup, tape)  is  true. 
Select  an  action:  examine  user  password  adams 
You  chose  to  exeonine  user  password  adauns . 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  jones  is  confronted, 

password  adams  is  exetmined, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  Is  are  restored, 

file  passwd  is  restored, 

changed (password, for, adams)  is  true, 

chemged (password, for, smith)  is  true, 

changed (permissions , file, passwd)  is  true, 

checked (permissions, file, passwd)  is  true, 

restored (password, for, brown)  is  true, 

restored (password, for , farmer)  is  true, 

restored (password, for, root)  is  true, 

known (insecure, pas sword, for, adams)  is  true, 

known (insecure, pas sword, for, smith)  is  true, 

mail (brown, root , 1033 , bad (pas sword, brown) )  is  true, 

maiKdoe, root, 9373, badds, bin)  )  is  true, 

mail (doe , root , 9375 , bad (doefile, doe ) )  is  true, 

mail(dog,root, 9404, bad(bark, dog) )  is  true, 

mail (farmer, root, 12 07, bad (pas sword, f armer ) )  is  true, 

mail (farmer, root, 12 20, bad ( s ecr e t s, f arroer ) )  is  true, 

mail (graham, root, 15 02, bad (important, graham) )  is  true, 

n^3,il  ( root ,  root ,  52 05 , bad ( cd, bin)  )  is  true, 

removed  (Trojan,  Horse,  from.  Is )  is  true, 

found(file,cd, on, backup, tape)  is  true, 

found( file , Is , on, backup, tape)  is  true, 

found (file, passwd, on, backup, tape)  is  true, 

compared ( file,cd,f or, Troj 2m  Horse, with, cd, on, backup, tape)  is  true, 
and  coirpared(file.  Is,  for, Trojan  Horse, with.  Is , on, backup,  tape )  is  true. 
Select  an  action:  examine  user  password  root 
You  chose  to  examine  user  password  root, 

I  am  thinking. . . . 

Your  action  is  not  what  I  would  choose,  but  let  us  try  it. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  jones  is  confronted, 

password  adams  is  examined, 

password  root  is  examined, 

password  cracker  is  executed, 

bacJcup  tape  is  loaded, 

backup  tape  is  located, 

file  Is  are  restored, 

file  passwd  is  restored, 

changed (password, for, adams)  is  true, 

changed (password, for, smith)  is  true, 

changed (permissions , file, passwd)  is  true, 

checked (permissions, file, passwd)  is  true. 
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restored (password, for, brovm)  is  true, 

restored (password, for, farmer)  is  true, 

restored (password, for, root )  is  true, 

known (insecure, pas sword, for, adams)  is  true, 

known (in8ecure,password, for, smith)  is  true, 

mail (brown, root, 103 3, bad (pas sword, brown ) )  is  true, 

mail (doe, root, 93 7 3, bad (Is, bin) )  is  true, 

mail (doe, root, 9375,bad (doefile, doe) )  is  true, 

mail (dog, root , 9404, bad (bark, dog) )  is  true, 

mail (farmer, root, 1207, bad (password, farmer) )  is  true, 

mail (farmer, root, 1220, bad (secret 8, f armer ) )  is  true, 

mail  ( graham,  root,  1502 ,  bad  (important,  graheua)  )  is  true, 

mail (root, root, 52 05, bad (cd, bin) )  is  time, 

removed (Trojan, Horse, from, Is)  is  true, 

found ( f ile, cd, on, backup, tape)  is  true, 

found(file, Is, on, backup, tape)  is  true, 

found(f ile, pas swd, on, backup, tape)  is  true, 

compared (f ile, cd, for, Trojan  Hor se, with, cd, on, backup, tape)  is  true, 
and  conpared(f ile, Is, for, Trojan  Horse, with, Is, on, backup, tape)  is  true. 
Select  em  action:  investigate  user  password  root 
You  chose  to  investigate  user  password  root. 

Have  you  confused  that  with  the  investigate  user  password  brown  action? 
OK,  but  a  hint:  "investigate  user  password  brown" 
is  more  important  now  than  "investigate  user  password  root". 
************  These  facts  are  now  true:  ************* 
password  root  is  changed, 
user  jones  is  confronted, 
password  adams  is  examined, 
password  root  is  examined, 
password  cracker  is  executed, 
backup  tape  is  loaded, 
backup  tape  is  located, 
file  Is  are  restored, 
file  passwd  is  restored, 
changed (password, for, adams)  is  true, 
changed (password, for, smith)  is  true, 
chemged (permissions, file, pas swd)  is  true, 
checked (permissions, file, pas swd)  is  true, 
investigated (user, pas sword, root)  is  true, 
restored (password, for, brown)  is  true, 
restored(pa88word, for, farmer)  is  true, 
restored (password, for, root )  is  true, 

)tnown( insecure, password, for, adams)  is  true, 

]uiown( insecure, pas 8 word, for, smith)  is  true, 

mail (brown, root, 103 3, bad (pas sword, brown) )  is  true, 

mail (doe, root, 9373, bad (Is, bin) )  is  true, 

mail (doe, root , 9375 , bad (doefile , doe) )  is  true, 

mail (dog, root , 9404 , bad (bark, dog) )  is  true, 

mail ( farmer, root, 12 07, bad (password, farmer) )  is  true, 

mail (farmer, root, 1220, bad(secret8, farmer) )  is  true, 

mail  (grzdizua,  root,  1502, bad  (important,  graham) )  is  true, 

mail (root, root , 52 05, bad (cd, bin) )  is  true, 

removed (Trojan, Horse, from, Is)  is  true, 

found(f ile, cd, on, backup, tape)  is  true, 

fovind(f ile, l8,on,bac]cup, tape)  is  true, 

found (file, pas swd, on, backup, tape)  is  true, 

coIcpared(file,cd,for,Troj^m  Hor8e,with,cd, on, backup, tape)  is  true, 
and  coxnpared(f ile.  Is,  for, Trojan  Horse, with, Is, on, bac}cup,  tape)  is  true. 
Select  an  action:  investigate  user  password  brown 
You  chose  to  investigate  user  password  brown. 

OK. 
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************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  jones  is  confronted, 

password  adams  is  ex2uained, 

password  root  is  examined, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  Is  are  restored, 

file  passwd  is  restored, 

changed (password, for, adams)  is  true, 

changed (pas sword, for, smith)  is  true, 

changed (permissions, file, passwd)  is  true, 

checked(permissions, file, passwd)  is  true, 

investigated (user, pas sword, brown)  is  true, 

investigated (user, pas sword, root)  is  true, 

restored (password, for , brown)  is  true, 

restored (password, for, farmer)  is  true, 

restored (password, for, root)  is  true, 

)cnown( insecure, password, for, adams)  is  true, 
known  (insecure,  pas  sword,  for,  smith)  is  true, 
mail (brown, root , 1033 , bad (pas sword, brown) )  is  true, 
inail(doe,root, 9373, badds, bin)  )  is  true, 

(<ic>0/3root,  9375,bad(doof  ile,doe)  )  is  true, 
mail (dog, root, 9 4 04, bad (bark, dog) )  is  true, 
mail (farmer, root, 12 07, bad (pas sword, f armer ) )  is  true, 
mail(farmer,root,1220,bad(secrets, farmer) )  is  true, 
mail  (graham, root,  15 02, bad (iii5)ort ant, graham) )  is  true, 
mail (root, root, 52 05, bad (cd, bin) )  is  true, 
reinoved(Troj an, Horse,  from.  Is)  is  true, 
found(file,cd, on, backup, tape)  is  true, 
found(file,  ls,on,bac3cup,  tape)  is  true, 
found(file, passwd, on, backup, tape)  is  true, 

conipared(file,cd, for, Trojan  Hor a e, with, cd, on, backup, tape)  is  true, 
and  compared (file, Is, for, Trojan  Horse, with, Is , on, backup, tape )  is  true. 
Select  an  action:  restore  modified  file  cd  from  backup 
You  chose  to  restore  modified  file  cd  from  backup. 

OK,  but  a  hint:  "restore  modified  file  important  from  backup" 
is  more  important  now  than  "restore  modified  file  cd  from  backup". 
************  These  facts  are  now  t3rue:  ************* 
password  root  is  changed, 
user  jones  is  confronted, 
password  adams  is  examined, 
password  root  is  examined, 
password  cracker  is  executed, 
bac)cup  tape  is  loaded, 
bac]cup  tape  is  located, 
file  cd  is  restored, 
file  Is  are  restored, 
file  passwd  is  restored, 
changed (password, for, adams)  is  true, 
ch2mged (password, for, smith)  is  true, 
changed (permissions , file, passwd)  is  true, 
checked (permissions, file, passwd)  is  true, 
investigated (user, password, brown)  is  true, 
investigated (user, password, root )  is  true, 
restored (password, for, brown)  is  true, 
restored (password, for, farmer)  is  true, 
restored (password, for, root )  is  true, 
known (insecure, pa 8 8 word, for, adams)  is  true, 

3cnown( insecure, password,  for,  smith)  is  true. 
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mail(brown,root,1033,bad(password,brovm)  )  is  true, 

mail (doe, root, 9373, bad(ls, bin) )  is  true, 

mail (doe, root, 9375, bad(doefile, doe) )  is  true, 

mail (dog, root , 9404, bad (bark, dog) )  is  true, 

mail (farmer, root, 12 07, bad (pas sword, farmer) )  is  true, 

mail (farmer, root, 1220, bad (secrets, farmer ) )  is  true, 

mail  (greiham, root ,  1502 , bad ( important, grediam)  )  is  true, 

maiKroot, root, 5205, bad(cd, bin) )  is  true, 

removed (Trojan, Horse, from, Is)  is  true, 

foTind ( file, cd, on, backup, tape)  is  true, 

found(file, Is, on, backup, tape)  is  true, 

found(f lie, pas swd, on, backup, tape)  is  true, 

conipared(file,cd, for, Trojan  Horse,wlth, cd,on,bac}cup,tape)  is  true, 
and  coiopared(f lle,l8, for,Troj2m  Horse, with, Is, on, backup, tape)  is  true. 
Select  an  action:  find  file  important  on  backup  tape 
You  chose  to  find  file  important  on  backup  tape. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  jones  is  confronted, 

password  adauas  is  examined, 

password  root  is  examined, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  cd  is  restored, 

file  Is  are  restored, 

file  passwd  is  restored, 

changed  (password,  for,  adaoiis )  is  true, 

changed (password, for, smith)  is  true, 

changed (permissions, file, passwd)  is  true, 

checked (permissions, file, passwd)  is  true, 

investigated (user, pas 8 word, brown)  is  true, 

investigated (user, pas sword, root)  is  true, 

restored (password, for, brown)  is  true, 

restored (password, for, farmer)  is  true, 

restored (password, for, root )  is  true, 

known  ( ins  e  cure,  pas  sword,  for,  adeuns)  is  true, 

known (insecure, pa 8 sword, for, smith)  is  true, 

mail (brown, root , 1033 , bad (password, brown) )  is  true, 

mail (doe, root, 9373, bad (Is, bin) )  is  true, 

mail (doe, root, 9375, bad (doefile, doe ) )  is  true, 

mail (dog, root, 94 04, bad (bark, dog) )  is  true, 

mail (farmer, root, 12 07, bad (password, f armer ) )  is  true, 

mail (farmer, root, 12 20, bad (secrets , farmer) )  is  true, 

mail (graham, root, 15 02, bad (import ant, gr aham) )  is  true, 

mail (root , root, 52 05, bad (cd, bin) )  is  true, 

removed (Trojan, Horse, from, Is )  is  true, 

found(f ile, cd, on, backup, tape)  is  true, 

found (file, import ant, on, backup, tape)  is  true, 

found(f ile, Is, on, backup, tape)  is  true, 

fo\md( file, pas swd, on, backup, tape)  is  true, 

con5>ared(f ile,cd,for,Troj^al  Horse, with, cd, on, backup, tape)  is  true, 
and  compared(f ile, Is, for, Trojan  Horse, with, Is, on, backup, tape )  is  true. 
Select  an  action:  restore  modified  file  important  from  backup 
You  chose  to  restore  modified  file  important  from  backup. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 
user  jones  is  confronted, 
password  adams  is  examined. 
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password  root  is  examined, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  cd  is  restored, 

file  importeint  is  restored, 

file  Is  are  restored, 

file  passwd  is  restored, 

changed (password, for, adams)  is  true, 

changed (password, for, smith)  is  true, 

changed (permissions, file, passwd)  is  true, 

checked (permissions, file, passwd)  is  true, 

investigated (user, pas sword, brown)  is  true, 

investigated (user, password, root)  is  true, 

restored (password, for, brown)  is  true, 

restored (password, for, farmer)  is  true, 

restored (password, for, root)  is  true, 

)tnown  ( ins  e  cure,  pas  sword,  for,  adams)  is  true, 

known (insecure,password, for, smith)  is  true, 

mail (brown, root, 1033, bad (pas sword, brown) )  is  true, 

mail  (doe, root,  9373, badds, bin)  )  is  true, 

maiKdoe, root, 9375, bad(doefile, doe) )  is  true, 

mail (dog, root, 9 4 04, bad (bark, dog) )  is  true, 

mail ( farmer , root , 1207 , bad (password, farmer) )  is  true, 

mail (farmer , root , 1220 , bad (secrets , farmer) )  is  true, 

mail(graham,root, 15 02, bad (import ant, graham) )  is  true, 

mail (root, root, 5205, bad(cd, bin) )  is  true, 

removed (Trojan, Horse, from, Is)  is  true, 

found(f lie, cd, on, backup, tape)  is  true, 

found(file, important, on, backup, tape)  is  true, 

found(file, Is, on, backup, tape)  is  true, 

found (file, passwd, on, backup, tape)  is  true, 

con55ared(file,cd, for, Trojan  Horse,with, cd, on, backup, tape)  is  true, 
and  compared  (file ,  Is ,  for ,  Troj  an  Horse,  with.  Is ,  on,  baclcup,  tape)  is  true. 
Select  an  action:  find  file  wag  on  backup  tape 
You  chose  to  find  file  wag  on  backup  tape. 

I  eim  thinking,  .  .  . 

Have  you  confused  that  with  the  find  file  secrets  on  backup  tape  action? 
OK,  but  a  hint:  "restore  deleted  file  secrets  from  bac)aip" 
is  more  important  now  than  "restore  deleted  file  wag  from  backup". 

*  ***********  Tjieae  facts  are  now  true:  *★*»*★*♦♦**** 

password  root  is  changed, 

user  jones  is  confronted, 

password  adams  is  ex2unined, 

password  root  is  examined, 

password  cracker  is  executed, 

bac)cup  tape  is  loaded, 

backup  tape  is  located, 

file  cd  is  restored, 

file  important  is  restored, 

file  Is  are  restored, 

file  passwd  is  restored, 

changed (password, for, adams)  is  true, 

changed (password, for, smith)  is  true, 

changed (permissions , file, passwd)  is  true, 

checked (permissions, file, passwd)  is  true, 

investigated (user, password, brown)  is  true, 

investigated (user , password, root )  is  true, 

restored (password, for, brown)  is  true, 

restored (password, for, farmer)  is  true, 

restored (password, for, root )  is  true. 
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knovm ( ins e euro, pas sword, for, adams)  is  true, 

known (insecure, password, for, smith)  is  true, 

mail ( brown, root, 10 33, bad (pa 8 sword, brown ) )  is  true, 

mail (doe, root , 9373 , bad (Is , bin) )  is  true, 

maiKdoe, root, 9375, bad(doefile, doe) )  is  true, 

mail (dog, root, 9404, bad (bark, dog) )  is  true, 

mail (farmer, root , 1207 , bad (password, farmer) )  is  true, 

mail (farmer, root, 1220, bad (secret 8, farmer) )  is  true, 

mail (graham, root, 1502, bad ( inportant, graham) )  is  true, 

mail (root, root, 5205, bad(cd,bin) )  is  true, 

removed (Trojan, Horse, from, Is)  is  true, 

found ( file, cd, on, backup, tape)  is  true, 

found (file, important, on, backup, tape)  is  true, 

found(file, Is, on, backup, tape)  is  true, 

found (file,pas8wd, on, baclcup, tape)  is  true, 

found(file, wag, on, backup, tape)  is  true, 

compared ( f ile, cd, for, Trojan  Hors e, wi t h, cd, on, backup, tape)  is  true, 

2m.d  compared (file, Is , for , Troj an  Horse, with, Is, on, backup, tape)  is  true. 
Select  an  action:  find  file  secrets  on  backup  tape 
You  chose  to  find  file  secrets  on  backup  tape. 

OK. 

*************  These  facts  are  now  true:  ************* 
password  root  is  ch2mged, 
user  jones  is  confronted, 
password  adams  is  examined, 
password  root  is  exeunined, 
password  cracker  is  executed, 
backup  tape  is  loaded, 
bacloip  tape  is  located, 
file  cd  is  restored, 
file  importemt  is  restored, 
file  Is  are  restored, 
file  passwd  is  restored, 
chemged (pas sword,  for,  adzuos)  is  true, 
changed (password, for, smith)  is  true, 
ch2Lnged (permissions,  file, passwd)  is  true, 
checked (permissions , file, passwd)  is  true, 
investigated (user, pas sword, brown)  is  true, 
investigated (user, password, root)  is  true, 
restored (password, for , brown)  is  true, 
restored (password, for , farmer)  is  true, 
restored (password, for, root )  is  true, 

)cnown(in8ecure,password, for, adams)  is  true, 

known (insecure, pas sword, for, smith)  is  true, 

mail (brown, root , 1033 , bad (password, brown) )  is  true, 

mail (doe, root, 9373, bad (Is, bin) )  is  true, 

mail (doe , root , 9375 , bad (doef ile , doe) )  is  true, 

mail (dog, root, 9 4 04, bad (bark, dog) ]  is  true, 

mail (farmer, root, 1207, bad(paBsword, farmer) )  is  true, 

maiKfarmer, root, 1220, bad(8ecrets, farmer)  )  is  true, 

mail  (graheun,  root,  15  02,  bad  (import  ant,  graham) )  is  true, 

mail (root, root , 5205 , bad (cd, bin) )  is  true, 

removed(Trojan, Horse, from, Is)  is  true, 

found(f ile, cd, on, backup, tape)  is  true, 

found ( file, importemt, on, backup, tape)  is  true, 

fo\md(fila,l8,on,baclmp,tape)  is  true, 

found (file, passwd, on, backup, tape)  is  true, 

found (file, secret 8, on, backup, tape)  is  true, 

found(file,wag, on, backup, tape)  is  true, 

compared(file,cd,for,Trojan  Hor se, wit h, cd, on, backup, tape)  is  true, 
and  compared(f ile, Is, for, Trojem  Horse, with, Is, on, backup, tape)  is  true. 
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Select  an  action:  restore  deleted  file  secrets  from  baclcup 
You  chose  to  restore  deleted  file  secrets  from  backup. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  Is  changed, 

user  jones  Is  confronted, 

password  ad2uns  Is  examined, 

password  root  Is  exaunlned, 

password  cracker  Is  executed, 

backup  tape  Is  loaded, 

backup  tape  Is  located, 

file  cd  Is  restored, 

file  Important  Is  restored, 

file  Is  are  restored, 

file  passwd  Is  restored, 

file  secrets  are  restored, 

changed  (password,  for,  adauns)  Is  true, 

changed (password, for, smith)  is  true, 

changed (permissions, file, passwd)  is  true, 

checked (permissions, file, passwd)  is  true, 

investigated (user, pas sword, brown)  is  true, 

investigated (user, pas sword, root)  is  true, 

restored (pas sword, for, brown)  is  true, 

restored (password, for, farmer)  is  true, 

restored(pas8word, for, root)  is  true, 

known ( ins e cure, pas sword, for, adams)  is  true, 

known (insecure, pas sword, for, smith)  is  true, 

mail (brown, root, 103 3, bad (pas sword, brown ) )  is  true, 

inail  (doe,  root ,  9373  ,bad(l8 , bin)  )  is  true, 

mail (doe, root, 9375,bad(doef lie, doe) )  is  true, 

mail (dog, root, 9404, bad (bark, dog) )  is  true, 

mail (farmer, root, 1207 , bad (password, farmer) )  is  true, 

mail (farmer, root, 1220, bad(8ecret8, farmer) )  is  true, 

mail(graham,root,1502,bad(iinportant,graheun) )  is  true, 

mail (root, root, 52 05, bad (cd, bin) )  is  true, 

removed (Trojiin, Horse,  from.  Is)  is  true, 

found ( file, cd, on, backup, tape)  is  true, 

found(file,iinport2mt, on, backup, tape)  is  true, 

found(file, Is, on, backup, tape)  is  true, 

found(file,passwd, on, backup, tape)  is  true, 

found (file, secrets, on, backup, tape)  is  true, 

found(f ile,wag,on,bac)cup,tape)  is  true, 

compared ( file, cd, for, Trojan  Horse , with, cd, on, backup, tape)  is  true, 
and  compared  (file.  Is,  for,  Trojan  Horse,  with.  Is ,  on,  bac)cup,  tape)  is  true. 
Select  an  action:  restore  deleted  file  wag  from  backup 
You  chose  to  restore  deleted  file  wag  from  backup. 

OK,  but  a  hint:  "restore  deleted  file  bark  from  backup" 
is  more  in^jortant  now  than  "restore  deleted  file  wag  from  backup". 
************  These  facts  are  now  true:  ************* 
password  root  is  changed, 
user  jones  is  confronted, 
password  adams  is  examined, 
password  root  is  examined, 
password  cracker  is  executed, 
backup  tape  is  loaded, 
backup  tape  is  located, 
file  cd  is  restored, 
file  import2ait  is  restored, 
file  Is  are  restored, 
file  passwd  is  restored, 
file  secrets  are  restored. 
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file  wag  is  restored, 

chamged (password, for, adams)  is  true, 

changed (pas sword, for, smith)  is  true, 

chemged (permissions, file, passwd)  is  true, 

checked (penais 8 ions, file, pas swd)  is  true, 

investigated (user, pas sword, brown)  is  true, 

investigated (user, password, root)  is  true, 

restored (password, for, brown)  is  true, 

restored (password, for, fanner)  is  true, 

restored (password, for, root)  is  true, 

known ( insecure, password, for, adams)  is  true, 

known (in8ecure,pa88Word, for, smith)  is  true, 

mail (brown, root, 103 3, bad (pas sword, brown) )  is  true, 

mail (doe, root, 9373 , bad (Is, bin) )  is  true, 

mail(doe,root, 9375, bad(doefile, doe) )  is  true, 

mail (dog, root, 9404, bad (bark, dog) )  is  true, 

mail (farmer, root, 12 07, bad (pas sword, f armer ) )  is  true, 

mail (farmer, root, 1220, bad ( secrets, f armer ) )  is  true, 

mail  (grahzun,  root,  15  02,  bad  (import  ant,  grahaun) )  is  true, 

mail (root, root, 52 05, bad (cd, bin) )  is  true, 

removed (Trojan, Horse, from, Is)  is  true, 

found ( file, cd, on, backup, tape)  is  true, 

f ound( file, important , on, backup, tape)  is  true, 

found(file, Is, on, backup, tape)  is  true, 

found(file,passwd, on, backup, tape)  is  true, 

found(file, secret 8, on, backup, tape)  is  true, 

found(file, wag, on, backup, tape)  is  true, 

compared(file, cd, for, Trojan  Horse,with, cd, on, backup, tape)  is  true, 
and  compared(f ile, Is, for,Troj2m  Horse, with, Is, on, backup, tape)  is  true. 
Select  an  action:  find  file  bark  on  backup  tape 
You  chose  to  find  file  bark  on  backup  tape. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  jones  is  confronted, 

password  adazos  is  examined, 

password  root  is  examined, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

bac]cup  tape  is  located, 

file  cd  is  restored, 

file  important  is  restored, 

file  Is  are  restored, 

file  passwd  is  restored, 

file  secrets  are  restored, 

file  wag  is  restored, 

changed  (password,  for ,  adeims )  is  true, 

changed (password, for , smith)  is  true, 

changed (permissions, file, pas swd)  is  true, 

checked (permissions, file, pas swd)  is  true, 

investigated (user , pas sword, brown)  is  true, 

investigated (user, pas 8 word, root)  is  true, 

restored (password, for, brown)  is  true, 

restored (password, for, farmer)  is  true, 

restored (password, for, root )  is  true, 

known  (insecure,  pas  sword,  f  or,  adauos)  is  true, 

known (insecure, password, for, smith)  is  true, 

mail (brown, root , 1033 , bad (password, brown) )  is  true, 

mail (doe, root, 937 3, bad (Is, bin) )  is  true, 

mail (doe, root, 9375, bad (doefile, doe) )  is  true, 

mail (dog, root, 9 4 04, bad (bark, dog) )  is  true. 
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mail (farmer, root, 1207 , bad (password, fanner) )  is  true, 
mail (farmer, root, 122 0, bad (secrets, farmer) )  is  true, 

(grabam, root , 1502 , bad ( xmportant , grabam) )  is  true, 
maiKroot, root, 5205, bad(cd, bin))  is  true, 
removed (Trojan, Horse, from, Is)  is  true, 
fo\ind(file, bark, on, backup, tape)  is  true, 
found (file, cd, on, backup, tape)  is  true, 
found (file, important, on, backup, tape)  is  true, 
found(file, Is , on, backup, tape)  is  true, 
found (file,passwd, on, backup, tape)  is  true, 
found(file, secrets, on, backup, tape)  is  true, 
fo\ind( file, wag, on, backup,  tape)  is  true, 

compared(file,  cd,  for,  Trojan  Horse,with,cd,on,bac)cup,  tape)  is  true, 
and  compared  (file.  Is,  for,  Trojan  Horse,  with.  Is,  on,  backup,  tape)  is  true. 
Select  an  action:  restore  deleted  file  bark  from  backup 
You  chose  to  restore  deleted  file  bark  from  bac3cup. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  jones  is  confronted, 

password  adams  is  exeunined, 

password  root  is  examined, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  bark  is  restored, 

file  cd  is  restored, 

file  important  is  restored, 

file  Is  are  restored, 

file  passwd  is  restored, 

file  secrets  are  restored, 

file  wag  is  restored, 

changed (password, for, adams)  is  true, 

changed (password, for, smith)  is  true, 

changed (permissions, file, passwd)  is  true, 

checked (permissions, file, passwd)  is  true, 

investigated (user, password, brown)  is  true, 

investigated (user, password, root)  is  true, 

restored (password, for, brown)  is  true, 

restored (password, for, farmer)  is  true, 

restored (password, for, root )  is  true, 

known (insecure,password, for, adams)  is  true, 

known(insecure,password, for, smith)  is  true, 

maiKbrown, root, 1033, bad(password, brown)  )  is  true, 

maiKdoe, root, 9373, badds, bin)  )  is  true, 

maiKdoe, root, 9375, bad(doefile, doe))  is  true, 

mail (dog, root, 9404, bad (bark, dog) )  is  true, 

mail (farmer, root, 12 07, bad (pas sword, farmer ) )  is  true, 

mail ( farmer , root , 1220 , bad (secrets , farmer ) )  is  true, 

mail ( graham, root, 15 02, bad (import ant, gr aham) )  is  true, 

maiKroot, root, 5205, bad(cd, bin)  )  is  true, 

removed (Trojan, Horse, from, Is)  is  true, 

fo\md( file, bark, on, backup, tape)  is  true, 

found(file,cd, on, backup, tape)  is  true, 

found(file, important, on, backup, tape)  is  true, 

found (file, Is, on, backup, tape)  is  true, 

found (file, passwd, on, backup, tape)  is  true, 

found (file, secret 8, on, backup, tape)  is  true, 

found(file,wag, on, backup, tape)  is  true, 

coirpared(file,cd,  for, Trojan  Horse , with,  cd, on, backup,  tape)  is  true, 
and  con^ared(file, Is, for, Trojan  Horse, with, Is , on,backup, tape)  is  true. 
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Select  an  action:  find  file  food  on  backup  tape 
You  chose  to  find  file  food  on  backup  tape. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  jones  is  confronted, 

password  adaxos  is  examined, 

password  root  is  examined, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  bark  is  restored, 

file  cd  is  restored, 

file  insert ant  is  restored, 

file  Is  are  restored, 

file  passwd  is  restored, 

file  secrets  are  restored, 

file  wag  is  restored, 

changed (password, for, adams)  is  true, 

changed (password, for, smith)  is  true, 

changed (permissions, file, passwd)  is  true, 

checked (permissions, file, passwd)  is  true, 

investigated(user, password, brown)  is  true, 

investigated (user, password, root)  is  true, 

restored (password, for, brown)  is  true, 

restored (password, for, farmer)  is  true, 

restored (password, for, root )  is  true, 

known (insecure, pas sword, for, adams)  is  true, 

known (insecure, pas sword, for, smith)  is  true, 

mail (brown, root, 103 3, bad (pas sword, brown) )  is  true, 

mail (doe, root , 9373 , bad (Is, bin) )  is  true, 

mail (doe, root , 9375 , bad (doefile, doe) )  is  true, 

mail (dog, root, 94 04, bad (bark, dog) )  is  true, 

mail (farmer, root, 12 07, bad (pas sword, f armer ) )  is  true, 

mail (farmer, root, 1220, bad (secrets, farmer) )  is  true, 

mail  (graham,  root,  15  02,  bad  (import  ant,  graham) )  is  true, 

mail (root , root, 52 05, bad (cd, bin) )  is  true, 

removed (Trojan, Horse, from, Is)  is  true, 

found(file, bark, on, backup, tape)  is  true, 

found(f ile, cd,on,bac)cup, tape)  is  true, 

found(file, food, on, backup, tape)  is  true, 

found(f ile, import ant, on, backup, tape)  is  true, 

found(f ile, Is, on, backup, tape)  is  true, 

found(f ile, passwd, on, backup, tape)  is  true, 

found(f ile, secrets, on, backup, tape)  is  true, 

f ound (file, wag, on, baeJeup, tape)  is  true, 

conpared (file, cd, for, Trojan  Hor se, with, cd, on, backup, tape)  is  true, 
and  coitpared(file, Is,  for, Trojan  Hor8e,with, ls,on,bac3cup,  tape)  is  true. 
Select  an  action:  restore  deleted  file  food  from  backup 
You  chose  to  restore  deleted  file  food  from  bac)cup* 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 
user  jones  is  confronted, 
password  adams  is  examined, 
password  root  is  examined, 
password  cracker  is  executed, 
backup  tape  is  loaded, 
backup  tape  is  located, 
file  bark  is  restored, 
file  cd  is  restored. 
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file  food  is  restored, 

file  important  is  restored, 

file  Is  are  restored, 

file  passwd  is  restored, 

file  secrets  are  restored, 

file  wag  is  restored, 

changed (password, for, adams)  is  true, 

changed (password, for, smith)  is  true, 

changed (permissions , file, passwd)  is  true, 

checked (permissions, file, passwd)  is  true, 

investigated (user , password, brown)  is  true, 

investigated (user, password, root)  is  true, 

restored (password, for, brown)  is  true, 

restored (password, for, farmer)  is  true, 

restored (password, for, root)  is  true, 

known  ( ins  o  cure,  pas  sword,  for,  adeuns)  is  true, 

known  (insecure,  password,  for,  smith)  is  true, 

mail (brown, root, 1033 , bad (pass word, brown ) )  is  true, 

mail (doe, root, 9373, bad (Is, bin) )  is  true, 

mail (doo,root,9375,bad(doefile,doe) )  is  true, 

mail (dog, root, 9404, bad (bark, dog) )  is  true, 

mail (farmer, root, 12 07, bad (password, farmer) )  is  true, 

maiKfarmer, root, 1220, bad(secrets, farmer) )  is  true, 

mail  (greiham,  root,  15  02,  bad  (import  ant,  gr  aham)  )  is  true, 

mail ( root , root ,5205, bad ( cd, bin) )  is  true , 

removed (Trojan, Horse, from, Is)  is  true, 

found (file, bark, on, backup, tape)  is  true, 

fo\md(file, cd, on, backup, tape)  is  true, 

found (file, food, on, backup, tape)  is  true, 

found ( file, inportant, on, backup, tape)  is  true, 

found (file, Is, on, backup, tape)  is  true, 

found (file, passwd, on, backup, tape)  is  true, 

found(file, secrets, on, backup, tape)  is  true, 

found (file, wag, on, backup, tape)  is  true, 

compared (file, cd, for, Trojan  Horse, with, cd, on, backup, tape )  is  true, 
and  compared (file, Is, for, Trojan  Horse, with, Is , on, backup, tape)  is  true. 
Select  an  action:  store  backup  tape 
You  chose  to  store  backup  tape. 

OK. 

Congratulations!  You  have  done  the  job. 

The  session  is  over.  Do  "go."  to  restart. 

yes 

I  ?-  statistics. 


memory  (total) 

4188640  bytes: 

2743656  in  use. 

1444984  free 

progr^ml  space 

2612592  bytes 

global  space 

65532  bytes: 

26644  in  use. 

38868  free 

global  stack 

24516  bytes 

trail 

40  bytes 

system 

2088  bytes 

local  stack 

65532  bytes: 

648  in  use. 

64884  free 

local  stack 

624  bytes 

system 

24  bytes 

67.000  sec.  for  0  global  and  45  local  space  shifts 

0.834  sec.  for  3  garbage  collections  which  collected  2905820  bytes 

87.633  sec.  runtime 


TAB  2.  RUN  2 


The  following  is  the  audit  file  used  for  Run  2: 


au<iit(davis,9,none, ’login  davis’.ok). 
audit(davis,14,davis,’cd  -adanis’,ok). 
audit(davis,21  ,adams,ls,ok). 
audit(davis,96,adams, ’login  adams’dail). 
audit(davis,108,adanis, ’login  adams’,ok). 
audit(adams,122,adams,’cd  -adams’.ok). 
audit(adams,125^dams,’cd  diradams’,ok). 
audit(evans,340,none,’loginevans’,ok). 
audit(adams,5(X),diradams,’emacsauxb’,1229). 
audit(coleman,622,none, ’login  coleman’.fail). 
audit(evans,625,evans,’emacs  csclass’^11). 
audit(coleman,632,none,’logincoleman’,f;^). 
audit(coleman,636,none,’logincoleman’,ok). 
audit(coleman,652,coleman,’cd -smith’, ok). 
audit(evans, 655,evans, ’mail  root’ ,bad(cscl^s,evans)). 
audit(evans,657,evans,logout,ok). 
audit(farmer,668, farmer,  ’cd  -root/bin’ , ok) . 
audit(farmer,668,none,’login  farmer’,okX 
audit(fanner,67 1  ,bin,ls,ok). 
audit(coleman,6^  .smith  ,ls,ok). 
audit(farmer,687,bin,’cd  -root’.ok). 
audit(farmer,707,root4s,ok). 
audit(fanner,711/oot,’Ioginroot’4^ail). 
audit(farmer,7 16,root,’login  root’,fail). 
audit(farmer,720,root,’login  root’,fail). 
audit(faimer,722,root,’login  root’,fail). 
audit(coleman,729,smith,ls,ok). 
audit(farmer,733joot,’loginroot’,fail). 
audit(coleman,736,smith,’login  smith’.ok). 
audit(farmer,747,root,’loginroot’,fail). 
audit(farmer,75 1  ,root,’login  root’.ok). 
audit(root,7^,root,’cd  etc’.ok). 

audit(root,788,etc,’cp  passwd  ~smith/dont_dare_look_at_this’,ok). 

audit(smith,819,smith,’emacs  tmpl434’,344). 

audit(root,942,etc,’mail  root’, ’Captain  Flash  strikes  again!!!!’). 

audit(root,947,etc,logout,ok). 

audit(smith,  1 0 16,smith,’emacs  tmp  1435’,362). 

audit(tom,l  122,none,’login  tom’.ok). 

audit(tom,l  140,tom,’cd  -adams’.ok). 

audit(tom,l  146,adams,’cd  -doe’.ok). 

audit(tom,l  176,doe4s,ok). 

audit(adams,1233,diradams,’emacs  auxc’,5221). 

audit(adams,1237,diradams4ogout,ok). 

audit(smith,1438,smith,’emacs  tmpl436’,405). 

audit(smith,1444,smith,logout,ok). 

audit(tom,1754,doe,’emacs  bigpaper’,301 11). 

audit(tom,1759,doe,logout,ok). 

audit(doe,2414,none,’login  doe’Jail). 

audit(doe,2421  ,doe,su,fail). 

audit(doe,2421,none,’login  doe’.ok). 

audit(doe,2436,doe,su,fail). 

audit(doe,2444,doe,su,fail). 

audit(doe,2449,doe,su,ok). 

audit(doe,2467,doe,’c(l  -adams’.ok). 
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audit(doe,2473,a(iams,ls,ok). 

audit(doe,2491,adams,’cd  ~tom/ba\ok). 

audit(doe,2510,ba/cd  ~dog’,ok). 

audit(doe,2522,dog,ls,ok). 

audit(doe,2529,dog;cd  --adanis’^ok). 

audit(doe,2536,adams,’cd  -tom/ba\ok). 

audit(doe,2543,ba,’cd  ~root/bin\ok). 

audit(doe,2546,bin,’cd  '-evans/csclass\ok). 

audit(doe,2558,csclass,’cd  ~davis\ok). 

audit(doe,2569,davis,  ’ cd  -farm er ’  ,ok) . 

audit(doe,2583,famier4s,ok). 

audit(doe,2596,farmer,’cd  -adams’,ok). 

audit(doe,2615,adanis,’cd  -tom/ba’,ok). 

audit(doe,2629,ba/cd  bin’, ok). 

audit(doe,2632,bin,’cd  -evans/csclass  ’,ok). 

audi  t(doe,263 6,csclass ,  ’  cd  -davis  ’  ,ok) . 

audit(doe,2643,davis,’cd  -adanis/diradams’,ok). 

audit(doe,2646,diradanis,’cd  -graham’, ok), 

audit(doe,2670,graham,ls,ok). 

audit(doe,2687,adams,’cd  -root’, ok). 

audit(doe,2687,graham,’cd  -adams’,ok). 

audit(doe,2709,root,ls,ok). 

audit(doe,2720,root,’cd  -adams’,ok). 

audit(doe,2911,adams,’cat  auxa’,ok). 

audit(doe,2938,adams,’cat  auxb’,ok). 

audit(doe,2979,none,’login  doe’, fail). 

audit(doe,2981  ,none,’login  doe’,ok). 

audit(doe,2982,doe,su,fail). 

audit(doe,2998,doe,su,fail). 

audit(doe,3007,doe,su,fail). 

audit(doe,3010,doe,su,fail). 

audit(doe,3025,doe,su,fail). 

audi  t(doe,3 03 5 ,doe,su ,  fail) . 

audit(doe,3046,doe,su,fail). 

audit(doe,306 1  ,doe,su,fail). 

audit(doe,3080,doe,su,fail). 

audit(doe,3085,doe,su,fail). 

audit(doe,3 104,doe,su,fail). 

audit(doe,3 1 14,doe,su,fail). 

audit(doe,3 132,adarns,’cat  auxc’,ok). 

audit(doe,3 133,doe,su,fail). 

audit(doe,3 152,doe,su,fail). 

audit(doe,3 163,doe,su,fail). 

audit(doe,3174,doe,su,fail), 

audit(doe,3 186,doe,su,faiI). 

audit(doe,3187,doe,su,fail). 

audit(doe,3195,adams,’cat  diradams’,ok). 

audit(doe,3 199,doe,su,fail). 

audit(doe,3204,adams,’cd  -tom/ba’,ok). 

audit(doe,3207,doe,su,fail). 

audii(doe,3214,ba,’cd  -graham’,ok). 

audit(doe,32 14  ,doe,su  ,fail) . 

audit(doe,3217,doe,su,fail). 

audii(doe,322 1  ,doe,su  ,fail) . 

audit(doe,3238,doe,su,failX 

audit(doe,3249,doe,su,fail). 

audit(doe,3253,doe,su,fail). 

audi t(davis,3256,none, ’login  davis’ ,ok). 

audii(doe,3269 ,doe,su  ,fail) . 

audit(doe,3279,doe,su,ok). 

audit(doe,3283,doe,’cd  -root/bin’, ok). 
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audit(doe,331  l,bin,ls,ok). 
audit(doe,3320,bin,’cdroot’,ok). 
audit(doe,33364‘oot,ls,ok). 
audit(doe,3 3504'oot,’cd  -adams  ’  ,ok). 
audit(doe,3360,adains,’cd  ~tom/ba’,ok). 
audit(doe,3377,ba/cd~root/bin’,ok). 
audit(doe,3379,graham,’cat  important’,ok). 
audit(doe,3390,graham,’cd  -adams’,ok). 
audit(doe,3403,adains,’cd  -farmer’, ok). 
audit(davis,3461,davis,’emacs  goodnews’,1447). 
audit(davis,3467,davis,logout,ok). 
audit(doe,3512,fanner,’catsecrets’,ok). 
audit(doe,3  5 16,fanner4ogout,ok). 
audit(doe,3875,bin,’emacscd’,5038). 
audit(doe,4430,bin,’emacsls’,2121). 
audit(doe,5 140,bin,’emacs  please_run_me’422914). 
audit(doe,5 141  ,bin,logout,ok). 
audit(doe,5 147,bin,’login  doe’,fail). 
audit(doe,5 155,bin,’login  doe’,failX 
audit(doe,5 169,bin,’login  doe’,fail). 
audit(doe,5 176,bin,’login  doe’.fail). 
audit(doe,5 186,bin,’login  doe’,fail). 
audit(doe,5 192,bin,’login  doe’,faiI). 
audit(doe,5 193,bin,’login  doe’,faiI). 
audit(doe,5203,bin, ’login  doe’.ok). 
audit(doe,5204,doe,’cd  -root/bin’,ok). 
audit(doe,5272,bin,’emacs  please_run_me’,229 14). 
audit(doe,5275,bin,logout,ok). 
audit(adams,5832, none, ’login  adams’,fail). 
audit(adams,5839,none,’login  adams’/ail). 
audit(adams,5846,none,’loginadams’,ok). 
audit(adams,5855,adams,’cd  ~root/bin’,ok). 
audit(adams,5878,bin,ls,fail). 
audit(adams,5903,bin,ls,ok). 
audit(adams,5915,bin,’cd  -adams’,ok). 
audit(adams,5920,adams,’cd  ~tomA)a’,ok). 
audit(adams,5935,ba,’cd  ~dog’,ok). 
audit(adams  ,5957,dog,ls  ,ok). 
audit(adams,5960,dog,’cd  -adams’,ok). 
audit(adams,5978,adams,’cd  ~tom’,ok). 
audit(adams,6016,tomjsiail). 
audit(adams,6019,tom4s,ok). 
audit(adams  ,6036,tom  ,’cd  -adams  ’  ,ok). 
audit(adams,6052,adams,’cd  -uri’,ok). 
audit(adams  ,6086,uri,Is,ok). 
audil(adams,6090,uri,’cd  -adams’,ok). 
audit(adams,6096,adams,’cd  ba’,ok). 
audit(adams,61 1 1  ,b^’cd  -root/bin’,ok). 
audit(adams,6114,bin,’cd  -evans/cscIass’,ok). 
audit(adams,6 1 1 6,csclass,’cd  -tom  ’  ,ok). 
audit(adams,6138,tom,’rm  *’,ok). 
audit(adams,6297,tom,’maD  tom’,’Haha  ful’). 
audit(adams,6303,tom4ogout,ok). 
audit(davis,7582,none,’login  davis’,ok). 
audit(smith,7867,none,’login  smith’,ok). 
audit(smith,7872,smith,’cd  ~adams’,ok). 
audit(sm  ith  ,789 1  ,adams,  ’cd  -tom  ’  ,ok). 
audit(davis,8012,davis,’emacs  topsecret’,1572). 
audil(davis,8013,davis,logout,ok). 
audit(smith,8027,tom,’emacs  bb’,45 1). 
audit(smith,8029,tom,’mail  root’,bad(cd,bin)). 
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audit(smiih,8036,tom,logout,ok). 
audit(root,8573,none, ’login  root’.ok). 
audit(root,8586/oot,’cd-adanis’,ok). 
audit(root,8604^dams,’cd  -ioot/bin’,ok). 
audit(root,8642,bin4s,ok). 
audit(root,8645,bin,’mail  root’,bad(cd,bin)). 
audit(root,8654,bin,’cd~adanis’,ok). 
audit(root,8667^dams,’cd-tomA»a’,ok). 
audit(root,8684,ba,’cd~root/bin’,ok). 
audit(root,8696,bin,’cd  -graham’,ok). 
audit(root,8730,graham,ls,ok). 
audit(root,8826, graham login  graham  ’  ,ok) . 

audit(graham, 9382, graham, ’emacsimportant’,10219). 
audit(graham,9390,graham,logout,ok). 
audit(graham,9994,none,’login  graham’,ok). 
audit(graham,9997,graham,’cd  ~tom’,ok). 
audit(graham,  10033,tom,ls,ok). 
audit(graham,10037,tom,’emacs  aa’,658). 
audit(graham,  10044, tom, logout, ok). 


The  following  is  the  script  of  Run  2: 


Script  started  on  Wed  Mar  15  22 j 33: 52  1995 

.alias:  No  such  file  or  directory. 

ai2 ; /user8/work4/schiavo/Thesis/Tutor>>prolog 


Quintus  Prolog  Release  3.1.1  (Sun-4,  SunOS  4.0) 

Copyright  (C)  1990,  Quintus  Corporation.  All  rights  reserved. 

2100  Gang  Road,  Palo  Alto,  California  U.S.A.  (415)  813-3800 

I  7-  [intruder] . 

%  compiling  file  /tmp_mnt/user8/work4/schiavo/Thesis/Tutor/intruder .pi 
%  compiling  file  /tmp_mnt /users /worki/schiavo/Thesis /Tutor /metutorS 0  .pi 

%  Undefined  procedures  will  just  fail  ('fail'  option) 

%  loading  file  /usr/local/q3 . 1 . l/generic/qplib3 . 1 . 1/library/random. qof 
%  foreign  file  /uar/looal/q3 . 1 .  l/generic/qplib3 . 1.  l/library/8tin4-4/libpl .  ao  loaded 

%  random. qof  loaded,  0.100  sec  9,392  bytes 
%  module  random  imported  into  user 

Clauses  for  writefact/2  are  not  together  in  the  source  file 
%  metutor30.pl  compiled  in  module  user,  3.016  sec  50,420  bytes 

%  compiling  file  /tmp^mnt /users /work4/schiavo/Thes is /Tutor /modrowoS 

%  modroweS  compiled  in  module  user,  0.633  sec  14,724  bytes 

%  compiling  file  /tirp_mnt /users /work4/8chiavo/Thesis /Tutor /filetree 

%  filetree  compiled  in  module  user,  0.433  sec  5,296  bytes 

%  conpiling  file  /tmp_mnt /users /work4/8chiavo /The sis /Tut or /rules 

Clauses  for  behavior /5  are  not  together  in  the  source  file 

*  Clauses  for  behavior/4  are  not  together  in  the  source  file 
%  rules  compiled  in  module  user,  0.616  sec  7,440  bytes 

%  conpiling  file  /tmp^mnt/users /work4 / schiavo/Thes is /Tutor /rowefiles 

%  rowefiles  coxtpiled  in  module  user,  0.100  sec  4,252  bytes 

%  conpiling  file  / tirp_mnt /us ers/work4/8chiavo/ Thesis /Tut or /opera tors 

*  Clauses  for  re commended/ 3  are  not  together  in  the  source  file 
Clauses  for  recommended/2  are  not  together  in  the  source  file 
Clauses  for  addpost condition/2  are  not  together  in  the  source  file 

%  operators  compiled  in  module  user,  0.600  sec  8,308  bytes 
%  intruder.pl  coiipiled  in  module  user,  6.283  sec  101,320  bytes 
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yes 

1  7-  statistics. 

memory  (total) 

649696  bytes: 

464956  in  use. 

184740  free 

program  space 

333892  bytes 

global  space 

65532  bytes: 

26686  in  use. 

38844  free 

global  stack 

24584  bytes 

trail 

16  bytes 

system 

2088  bytes 

local  stack 

65532  bytes: 

440  in  use. 

65092  free 

local  stack 

416  bytes 

system 

24  bytes 

0.000  sec.  for  0  global  and  3  local  space  shifts 

0.000  sec.  for  0  garbage  collections  which  collected  0  bytes 

6.566  sec.  runtime 

yes 

I  7-  start. 

**********************************************  ******ik****««««  *«*«***«««  4r******* 


AUDIT  FILE 

The  following  displays  the  current  contents  of  the  audit  file: 


Keune 

Time 

Path 

Command 

Result 

adeons 

122 

adams 

cd  '•ademis 

ok 

adams 

125 

adams 

cd  diradams 

ok 

adams 

500 

diradeuns 

emacs  auxb 

1229 

adams 

1233 

diradams 

eroacs  auxc 

5221 

adams 

1237 

diradams 

logout 

ok 

adams 

5832 

none 

login  adeuns 

fail 

adams 

5839 

none 

login  adams 

fail 

adams 

5846 

none 

login  ad2uas 

ok 

adams 

5855 

adams 

cd  -root /bin 

ok 

adams 

5878 

bin 

Is 

fail 

adams 

5903 

bin 

Is 

ok 

adeons 

5915 

bin 

cd  -adams 

ok 

adams 

5920 

adams 

cd  -tom/ba 

ok 

adams 

5935 

ba 

cd  -dog 

ok 

adams 

5957 

dog 

Is 

ok 

adams 

5960 

dog 

cd  -adeuns 

ok 

adams 

5978 

adams 

cd  -tom 

ok 

adams 

6016 

tom 

Is 

fail 

adams 

6019 

tom 

Is 

ok 

adams 

6036 

tom 

cd  -adams 

ok 

adams 

6052 

adams 

cd  -uri 

ok 

adams 

6066 

uri 

Is 

ok 

adams 

6090 

uri 

cd  —adams 

ok 

adams 

6096 

adeons 

cd  ba 

ok 

adams 

6111 

ba 

cd  -root /bin 

ok 

adams 

6114 

bin  cd 

-evans /csclass 

ok 

adams 

6116 

csclass 

cd  -tom 

ok 

adams 

6138 

tom 

rm  * 

ok 

adams 

6297 

tom 

mail  tom 

Haha  ful 

adams 

6303 

tom 

logout 

ok 
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Coleman 

622 

none 

login  coleman 

fail 

coleznan 

632 

none 

login  coleman 

fail 

colemazL 

636 

none 

login  coleman 

ok 

Coleman 

652 

coleman 

cd  -smith 

ok 

coleman 

684 

smith 

Is 

ok 

coleman 

729 

smith 

Is 

ok 

coleman 

736 

smith 

login  smith 

ok 

davis 

9 

none 

login  davis 

ok 

da  vis 

14 

davis 

cd  -adams 

ok 

davis 

21 

adeuos 

Is 

ok 

davis 

96 

adams 

login  adeuns 

fail 

davis 

108 

adams 

login  adams 

ok 

davis 

3256 

none 

login  davis 

ok 

davis 

3461 

davis 

emacs  goodnews 

1447 

davis 

3467 

davis 

logout 

ok 

davis 

7582 

none 

login  davis 

ok 

davis 

8012 

davis 

emacs  topsecret 

1572 

davis 

8013 

davis 

logout 

ok 

doe 

2414 

none 

login  doe 

fail 

doe 

2421 

doe 

su 

fail 

doe 

2421 

none 

login  doe 

ok 

doe 

2436 

doe 

su 

fail 

doe 

2444 

doe 

su 

fail 

doe 

2449 

doe 

su 

ok 

doe 

2467 

doe 

cd  -adams 

ok 

doe 

2473 

adams 

Is 

ok 

doe 

2491 

adams 

cd  -tom/ba 

ok 

doe 

2510 

ba 

cd  -dog 

ok 

doe 

2522 

dog 

Is 

ok 

doe 

2529 

dog 

cd  -adams 

ok 

doe 

2536 

adams 

cd  -tom/ba 

ok 

doe 

2543 

ba 

cd  -root /bin 

ok 

doe 

2546 

bin  cd 

-evems /csclass 

ok 

doe 

2558 

csclass 

cd  -davis 

ok 

doe 

2569 

davis 

cd  -farmer 

ok 

doe 

2583 

farmer 

Is 

ok 

doe 

2596 

farmer 

cd  -adams 

ok 

doe 

2615 

adams 

cd  -tom/ba 

ok 

doe 

2629 

ba 

cd  bin 

ok 

doe 

2632 

bin  cd 

-ovans/ CSC lass 

ok 

doe 

2636 

csclass 

cd  -davis 

ok 

doe 

2643 

davis  cd  -adams /diradams 

ok 

doe 

2646 

diradams 

cd  -graham 

ok 

doe 

2670 

graham 

Is 

ok 

doe 

2687 

adams 

cd  -root 

ok 

doe 

2687 

graham 

cd  -adams 

ok 

doe 

2709 

root 

Is 

ok 

doe 

2720 

root 

cd  -adams 

ok 

doe 

2911 

adeuas 

cat  aura 

ok 

doe 

2938 

adams 

cat  aurb 

ok 

doe 

2979 

none 

login  doe 

fail 

doe 

2981 

none 

login  doe 

ok 

doe 

2982 

doe 

su 

fail 

doe 

2998 

doe 

su 

fail 

doe 

3007 

doe 

su 

fail 

doe 

3010 

doe 

su 

fail 

doe 

3025 

doe 

su 

fail 

doe 

3035 

doe 

su 

fail 

doe 

3046 

doe 

su 

fail 

doe 

3061 

doe 

su 

fail 

doe 

3080 

doe 

su 

fail 

doe 

3085 

doe 

su 

fail 

doe 

3104 

doe 

8U 

fail 

doe 

3114 

doe 

8U 

fail 

doe 

3132 

adeons 

cat  axixc 

ok 

doe 

3133 

doe 

su 

fail 

doe 

3152 

doe 

su 

fail 

doe 

3163 

doe 

su 

fail 

doe 

3174 

doe 

su 

fail 

doe 

3186 

doe 

su 

fail 

doe 

3187 

doe 

su 

fail 

doe 

3195 

adeuns 

cat  diradeuns 

ok 

doe 

3199 

doe 

su 

fail 

doe 

3204 

adams 

cd  -tom/ba 

ok 

doe 

3207 

doe 

su 

fail 

doe 

3214 

ba 

cd  ^grah2un 

ok 

doe 

3214 

doe 

su 

fail 

doe 

3217 

doe 

su 

fail 

doe 

3221 

doe 

su 

fail 

doe 

3238 

doe 

su 

fail 

doe 

3249 

doe 

su 

fail 

doe 

3253 

doe 

su 

fail 

doe 

3269 

doe 

su 

fail 

doe 

3279 

doe 

su 

ok 

doe 

3283 

doe 

cd  -root /bin 

ok 

doe 

3311 

bin 

Is 

ok 

doe 

3320 

bin 

cd  root 

ok 

doe 

3336 

root 

Is 

ok 

doe 

3350 

root 

cd  -adams 

ok 

doe 

3360 

adams 

cd  -tom/ba 

ok 

doe 

3377 

ba 

cd  -root /bin 

ok 

doe 

3379 

graham 

cat  importemt 

ok 

doe 

3390 

graheun 

cd  -adscns 

ok 

doe 

3403 

adams 

cd  -farmer 

ok 

doe 

3512 

farmer 

cat  secrets 

ok 

doe 

3516 

farmer 

logout 

ok 

doe 

3875 

bin 

emacs  cd 

5038 

doe 

4430 

bin 

emacs  Is 

2121 

doe 

5140 

bin  emacs 

pleas  e_run_me 

22914 

doe 

5141 

bin 

logout 

ok 

doe 

5147 

bin 

login  doe 

fail 

doe 

5155 

bin 

login  doe 

fail 

doe 

5169 

bin 

login  doe 

fail 

doe 

5176 

bin 

login  doe 

fail 

doe 

5186 

bin 

login  doe 

fail 

doe 

5192 

bin 

login  doe 

fail 

doe 

5193 

bin 

login  doe 

fail 

doe 

5203 

bin 

login  doe 

ok 

doe 

5204 

doe 

cd  -root /bin 

ok 

doe 

5272 

bin  ezoacs 

pleas  e_rtin_me 

22914 

doe 

5275 

bin 

logout 

ok 

evans 

340 

none 

login  evans 

ok 

evans 

625 

evans 

emacs  csclass 

511 

evans 

655 

evems 

mail  root 

bad (csclass , evans ) 

evans 

657 

evans 

logout 

ok 

farmer 

668 

farmer 

cd  -root /bin 

ok 

farmer 

668 

none 

login  farmer 

ok 

farmer 

671 

bin 

Is 

ok 

farmer 

687 

bin 

cd  -root 

ok 

farmer 

707 

root 

Is 

ok 

farmer 

711 

root 

login  root 

fail 

farmer 

716 

root 

login  root 

fail 

97 


farmer 

720 

root 

login  root 

fail 

farmer 

722 

root 

login  root 

fail 

farmer 

733 

root 

login  root 

fail 

farmer 

747 

root 

login  root 

fail 

farmer 

751 

root 

login  root 

ok 

graham 

9382 

graham 

emacs  important 

10219 

graham 

9390 

graham 

logout 

ok 

graham 

9994 

none 

login  grsdiam 

ok 

graham 

9997 

graham 

cd  -tom 

ok 

grah2un 

10033 

tom 

Is 

ok 

graham 

10037 

tom 

emacs  aa 

658 

graham 

10044 

tom 

logout 

ok 

root 

760 

root 

cd  etc 

ok 

root 

788 

etccp  passwd  -smith/ dont_dare_look_at  this  ok 

root 

942 

etc 

mail  root 

Captain  Flash  strikes  again! ! ! ! 

root 

947 

etc 

logout 

ok 

root 

8573 

none 

login  root 

ok 

root 

8585 

root 

cd  >-adam8 

ok 

root 

8604 

adeuns 

cd  -root /bin 

ok 

root 

8642 

bin 

Is 

ok 

root 

6645 

bin 

mail  root 

bad (cd, bin) 

root 

8654 

bin 

cd  -adeuna 

ok 

root 

8667 

adams 

cd  -tom/ba 

ok 

root 

8684 

ba 

cd  -root /bin 

ok 

root 

6696 

bin 

cd  -gr«Uiam 

ok 

root 

8730 

graheua 

Is 

ok 

root 

8826 

graham 

login  graheon 

ok 

smith 

819 

smith 

emacs  tiipl434 

344 

smith 

1016 

smith 

emacs  tmpl435 

362 

smith 

1438 

smith 

emacs  tnpl436 

405 

smith 

1444 

smith 

logout 

ok 

smith 

7867 

none 

login  smith 

ok 

smith 

7872 

smith 

cd  adams 

ok 

smith 

7891 

adams 

cd  -tom 

ok 

smith 

8027 

tom 

emacs  bb 

451 

smith 

8029 

tom 

mail  root 

bad (cd, bin) 

smith 

8036 

tom 

logout 

ok 

tom 

1122 

none 

login  tom 

ok  i 

tom 

1140 

tom 

cd  -adeuns 

ok 

tom 

1146 

adams 

cd  -doe 

ok 

tom 

1176 

doe 

Is 

ok 

tom 

1754 

doe 

emacs  bigpaper 

30111 

tom 

1759 

doe 

logout 

^  ^  ^  4  ^  ^  ^  A  ^  A  ^  A  A  ^  ^  ^ 

ok 

* 

* 

• 

MAIL  RECEIVED 

* 

* 

*  The 

* 

following 

displays 

mail  received  by  : 

* 

root :  * 

* 

Prom 

To 

Time 

Problem (File , Directory) 

evans 

root 

655 

bad ( csclasB , evans ) 

root 

root 

942 

Captain  Flash  strikes  again 

root 

root 

8645 

bad (cd, bin) 

smith 

root 

6029 

bad (cd, bin) 
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%  Undefined  procedures  will 
Warnings : 

This  fact  is  not  removable: 
This  fact  is  not  removable: 
This  fact  is  not  removable: 
This  fact  is  not  removable: 
This  fact  is  not  removable: 
This  fact  is  not  removable: 
This  fact  is  not  removable: 
This  fact  is  not  removable: 
This  fact  is  not  removable: 


just  fail  ('fail'  option) 

changed (password, root ) 
confronted (user ,_12829 ) 
examined ( pas  sword , _12  7  6  3 ) 
executed (password, cracker) 
investigated (password, _12742 ) 
changed (password, for,_12700) 
changed (permis 8 ions , file , _12 872 ) 
restored (password, for,_12808) 
is  sued ( new, pas  sword, to , _12  786) 


Your  objectives: 

backup  tape  is  stored  emd  password  cracker  is  executed. 
Wait  a  moment  while  I  analyze  the  problem  thoroughly. 


*********************************************************************** 
*  * 

*  To  see  a  list  of  possible  actions,  type  the  letter  "h"  or  the  word  * 

*  "help."  To  review  the  audit  file  or  your  mail  at  anytime,  type  the  * 

*  word  "audit file"  or  "mail"  respectively.  * 

*  * 


Type  h  for  help. 

************  These  facts  are  now  true:  ************* 
bac]cup  tape  is  stored, 

mail (ovans, root, 655,bad(csclas8, evans) )  is  true, 

mail (root, root , 942 , Captain  Flash  strikes  again!!!!)  is  true, 

mail (root , root , 8 64 5, bad (cd, bin) )  is  true, 

and  mail (smith, root, 8029, bad (cd, bin) )  is  true. 

Select  an  action:  execute  password  cracker 
You  chose  to  execute  password  cracker. 

OK,  but  a  hint:  "cheinge  permissions  file  passwd" 
is  more  in^KDrtant  now  than  "execute  password  cracker". 

************  These  facts  are  now  true:  ************* 
password  cracker  is  executed, 
baclcup  tape  is  stored, 

knowndnsecure, password,  for, _201271)  is  true, 

known (insecure, pas sword, for, _20 127 8)  is  true, 

known ( ins ecur e,pa8 sword, for, _2 012 85)  is  true, 

known(in8ecure, password, for, _201292)  is  true, 

mail (evans, root, 6 5 5, bad (CSC lass, evans) )  is  true, 

mail (root, root, 9 42, Captain  Flash  strikes  again!!!!)  Is  true, 

mail (root, root, 8 645, bad (cd, bin) )  is  true, 

and  mail (smith, root, 8029, bad (cd, bin) }  is  true. 

Select  an  action:  change  permissions  file  passwd 
You  chose  to  change  permissions  file  passwd. 

>>>>Oporator  change (permissions , file, passwd)  could  not  bo  applied  to: 
password  cracker  is  executed, 
backup  tape  is  stored, 

known  (insecure,  pas  8  word,  for,  adeuQs)  is  true, 

known (insecure, pas sword, for, farmer )  is  true, 

known (insecure, pas sword, for, graham)  is  true, 

known (insecure, pas sword, for, smith)  is  true, 

mail (evans, root, 6 5 5, bad (CSC lass, evans ) )  is  true, 

mail (root , root, 9 4 2, Captain  Flash  strikes  again!!!!)  is  true, 

mail (root, root, 8 645, bad (cd, bin) )  is  true, 

and  mail (smith, root, 8029, bad (cd, bin) )  is  true 

>>>>Operator  change (permissions, file, passwd)  could  not  be  applied  to: 
password  cracker  is  executed, 
bac)cup  tape  is  stored. 
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known ( ins e cure, pas sword, for, adams)  is  true, 

known (insecure,password, for, fanner)  is  true, 

known  (insecure,  pas  sword,  for,  gr2diain)  is  true, 

known{in8ecure,pa8sword, for, smith)  is  true, 

mail (evans, root , 655, bad (csclass, evans) )  is  true, 

mail( root, root, 942, Captain  Flash  strikes  again!!!])  is  true, 

mail(root,root, 8645, bad(cd, bin) )  is  true, 

tmd  maiKsmith, root,  8029, bad(cd,bin))  is  true 

Have  you  confused  that  with  the  check  permissions  file  passwd  action? 

That  action  requires  that: 

checked (pennies ions, file, passwd)  is  true. 

************  These  facts  are  now  true:  ************* 
password  cracker  is  executed, 
backup  tape  is  stored, 

known (insecure, password, f or, _208775)  is  true, 
known(insecure, password, for, _208782)  is  true, 
knowndnsecure, password, for, _208789)  is  true, 
known(insecure, password, for, _208796)  is  true, 
mail (evans, root, 655,bad(csclas8,evans) )  is  true, 

, root , 942 , Captain  Flash  strikes  again!!!!)  is  true, 
mail (root, root, 8645, bad(cd, bin) )  is  true, 
and  niail  (smith, root,  8029, bad(cd, bin) )  is  true. 

Select  an  action:  check  permissions  file  passwd 
You  chose  to  check  permissions  file  passwd. 

OK. 

************  These  facts  are  now  true:  *♦♦*♦•♦****** 

password  cracker  is  executed, 

backup  tape  is  stored, 

checked (permissions, file, passwd)  is  true, 

known  (insecure,  password,  for,  adeuns)  is  true, 

known (insecure,pas8word,  for,  fanner)  is  true, 

)cnown(in8ecure,password, for, graham)  is  true, 

known(insecure,pa8sword, for, smith)  is  true, 

mail (evans, root, 655, bad (csclass, evans ) )  is  true, 

mail (root, root, 942, Captain  Flash  strikes  again!!!!)  is  true, 

maiKroot, root, 8645, bad(cd, bin)  )  is  true, 

and  maiKsmith, root, 8029, bad(cd, bin)  )  is  true. 

Select  an  action:  change  permissions  file  passwd 
You  chose  to  change  permissions  file  passwd. 

OK. 

************  facts  are  now  true:  ************* 

password  cracker  is  executed, 
backup  tape  is  stored, 

changed(permi8sions, file, passwd)  is  true, 
checked (permissions, file, passwd)  is  true, 

)cnown(in8ecure,pa8  8word,for,adains)  is  true, 
known(in8ecure,pas8word, for, farmer)  is  true, 
known (insecure, pas sword, for, graham)  is  true, 
known(insecure,password, for, smith)  is  true, 
mail (evans , root , 655 , bad ( csclass , evans ) )  is  true, 
mail (root,root, 942, Captain  Flash  strikes  again!!!!)  is  true, 
inail(root,root, 8645, bad(cd, bin) )  is  true, 
and  mail(smith,root, 8029, bad(cd, bin) )  is  true. 

Select  an  action:  cheinge  password  for  adams 
You  chose  to  change  password  for  Adams. 

OK,  but  a  hint:  "change  root  password" 
is  more  inportant  now  than  "cheinge  password  for  adams". 

************  These  facts  are  now  true:  ************* 

password  cracker  is  executed, 

backup  tape  is  stored, 

changed (password, for, adams)  is  true. 
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changed(permissions, file, pass wd)  is  true, 
checked (permissions, file, pas swd)  is  true, 
knovm. ( ins e cure, pas sword, for, adams)  is  tnie, 
known ( insecure, pa SB word, for, farmer)  is  true, 

)cnown(  insecure,  pas  sword,  for,  graham)  is  true, 

)cnown( insecure, password, for, smith)  is  true, 

mail (evans,root, 655,bad{csclass,evans) )  is  true, 

mail (root, root, 942, Captain  Flash  strikes  again!!!!)  is  true, 

mail (root, root, 8 64 5, bad (cd, bin) )  is  true, 

and  mail (smith, root, 8029, bad (cd, bin) )  is  true. 

Select  an  action:  chemge  root  password 
You  chose  to  ch£Lnge  root  password. 

OK. 

************  Those  facts  are  now  true:  ************* 

password  root  is  changed, 

password  cracker  is  executed, 

backup  tape  is  stored, 

changed  (password,  for,  adzuns)  is  true, 

changed (permissions, file, passwd)  is  true, 

checked (permissions, file, pas swd)  is  true, 

kjiown (insecure, password, for, adams)  is  true, 

)cnown( insecure, password,  for,  farmer)  is  true, 

)aiown( insecure, pas sword, for, graham)  is  true, 

)cnown( insecure, pas 8 word,  for,  smith)  is  true, 

mail(evans,root,655,bad(cscla8s,evans) )  is  true, 

mail (root, root, 942, Captain  Flash  strikes  again!!!!)  is  true, 

mail (root, root, 8 64 5, bad (cd, bin) )  is  true, 

and  mail (smith, root, 802 9, bad (cd, bin) )  is  true. 

Select  zm.  action:  chzmge  password  for  farmer 
You  chose  to  change  password  for  farmer. 

OK,  but  a  hint:  "compare  file  cd  for  Trojzm  Horse  with  cd  on  baclcup  tape" 
is  more  inportzmt  now  thzin  "chzmge  password  for  farmer". 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

password  cracker  is  executed, 

bac)aip  tape  is  stored, 

changed  (password,  for,  adzuns )  is  true, 

chzmged (password, for, farmer)  is  true, 

changed (permissions, file, pas swd)  is  true, 

checked (permissions, file, pas swd)  is  true, 

)cnown(  in  secure,  pa  8  sword,  for,  adzuns)  is  true, 

)cnown (insecure, password, for, farmer)  is  true, 

)cnown  (insecure,  pas  sword,  for,  grziham)  is  true, 

known  (insecure,  pas  sword,  for,  smith)  is  true, 

mail  (evzms, root, 655,bad(c8class , evans) )  is  true, 

mail (root, root, 9 4 2, Cap tain  Flash  strikes  again!!!!)  is  true, 

mail (root , root , 8 645, bad (cd, bin) )  is  true, 

and  mail (smith, root, 8029, bad (cd, bin) )  is  true. 

Select  zm  action:  loacte  baclcup  tape 
You  chose  to  loacte  bac)cup  tape. 

1  assume  you  mezm  locate  bac]cup  tape. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  chzmged, 

password  cracker  is  executed, 

bac)aip  tape  is  located, 

changed (password, for, adams)  is  true, 

chzmged( pas sword, for, farmer)  is  true, 

changed (permissions , file , passwd)  is  true, 

checked (permissions, file, passwd)  is  true, 

]cnown( insecure, pa 8  8 word,  for, adams)  is  true. 
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knowii(iii8©cure,password,  for,  farmer)  is  true, 
known (insecure, password, for, graham)  is  true, 
known (insecure, password, for, smith)  is  true, 
mail (©vans , root , 655 , bad (csclass , evans ) )  is  true, 

» i"oot ,  942 ,  Captain  Flash  strikes  again!!!!)  is  true, 

mail(root,root, 8645, bad(cd, bin) )  is  true, 
and  maiKsmith, root, 8029, bad(cd, bin) )  is  true. 

Select  an  action:  load  backup  tape 
You  chose  to  load  backup  tape. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

changed (password, for, adams)  is  true, 

changed (password, for, farmer)  is  true, 

changed (permissions, file, pas swd)  is  true, 

checked(permi88ions, file, pas swd)  is  true, 

known  ( ins  ecure,  pas  sword,  for,  adaims)  is  true, 

)cnown(  ins  ©cure,  pas  sword,  for,  farmer)  is  true, 

known (ins ©cure, pas sword, for, graham)  is  true, 

known(insecure,password, for, smith)  is  true, 

mail (evans, root, 655, bad (csclass, ©vans ) )  is  true, 

mail (root, root, 942, Captain  Flash  strikes  again!!!!)  is  true, 

mail (root, root, 8645, bad(cd, bin) )  is  true, 

and  mail (smith, root, 802 9, bad (cd, bin) )  is  true. 

Select  an  action:  find  file  cd  on  backup  tape 
You  chose  to  find  file  cd  on  backup  tape. 

OK. 

************  facts  are  now  true:  ************* 

password  root  is  changed, 

password  cracker  is  executed, 

backup  tap©  is  loaded, 

backup  tap©  is  located, 

changed (password, for, adams)  is  true, 

changed (password, for, farmer)  is  true, 

changed (permissions, file, pas swd)  is  true, 

checked (permissions, file, passwd)  is  true, 

known (ins ©cure, pas sword, for, adams)  is  true, 

known (insecure, pas sword, for, farmer)  is  true, 

)uiown( ins ©cure, pas sword, for, graham)  is  true, 

known (ins ©cure, pas sword, for, smith)  is  true, 

mail (evans, root, 655, bad (csclass, evans) )  is  true, 

mail (root, root, 942, Captain  Flash  strikes  again!!!!)  is  true, 

mail(root,root, 8645, bad(cd, bin) )  is  true, 

mail (smith, root, 8 02 9, bad (cd, bin) )  is  true, 

and  found(file,cd, on, backup, tape)  is  true. 

Select  an  action:  compare  file  cd  for  Trojan  Horse  with  cd  on  backup  tape 
You  chose  to  compare  file  cd  for  Trojan  Hors©  with  cd  on  backup  tape. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

password  cracker  is  executed, 

bac)cup  tape  is  loaded, 

backup  tap©  is  located, 

changed (password, for, adams)  is  true, 

changed (password, for, farmer)  is  true, 

changed(permissions, file, pas swd)  is  true, 

checked (permissions, file, passwd)  is  true, 

known (ins©cure,password, for, adams)  is  true. 


102 


known (insecure, pas sword, for, farmer)  is  true, 

]cnown(  ins  e  cure,  pas  sword,  for,  grali2aa)  is  true, 

known (insecure, pas sword, for, smith)  is  true, 

mail (eveLns,root, 655,bad(c8class,evans) )  is  true, 

mail (root, root, 9 42, Captain  Flash  strikes  again! i !! )  is  true, 

mail (root , root , 8 64 5, bad (cd, bin) )  is  true, 

mail (smith, root, 8029, bad(cd, bin) )  is  true, 

found (file, cd, on, backup, tape)  is  true, 

and  compared ( file, cd, for, Tro jam  Hor8e,with, cd,on,bac3cup, tape)  is  true. 
Select  am  action:  find  file  Is  on  bac)cup  tape 
You  chose  to  find  file  Is  on  backup  tape. 

OK. 

************  Tiiese  facts  are  now  true:  ************* 

password  root  is  changed, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

changed (password, for, adams)  is  true, 

changed (password, for, farmer)  is  true, 

changed (permissions, file, passwd)  is  true, 

checked(permissions, f ile,pa8swd)  is  true, 

known  (insecure,  password,  for,  adauas)  is  true, 

known (insecure, password, for, farmer)  is  true, 

known ( ins e cur e, pa s sword, for, grahaun)  is  true, 

known (insecure, password, for, smith)  is  true, 

mail(evams, root, 655, bad(c8cla8S, evams) )  is  true, 

mail (root, root, 9 42, Captain  Flash  strikes  again!!!!)  is  true, 

maiKroot, root,  8645, bad(cd, bin) )  is  true, 

mail (smith, root, 802 9, bad (cd, bin) )  is  true, 

found(f ile, cd, on, backup, tape)  is  true, 

found(file,l8,on,bac}cup,tape)  is  true, 

and  compared  (file,  cd,  for,  Trojan  Hor8e,with,  cd,on,baclcup,  tape)  is  true. 
Select  am  action:  compare  file  Is  for  Trojan  Horse  with  Is  on  backup  tape 
You  chose  to  compare  file  Is  for  Trojam  Horse  with  Is  on  backup  tape. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

password  cracker  is  executed, 

baclcup  tape  is  loaded, 

bac]cup  tape  is  located, 

changed  (password,  for,  adaons)  is  true, 

changed (password, for, farmer)  is  true, 

chamged (permissions, file, passwd)  is  true, 

checked (permissions, file, passwd)  is  true, 

known  (insecure,  pas  sword,  for,  adauns)  is  true, 

known (insecure, password, for, farmer)  is  true, 

known(in8ecure,pa8sword, for,grathaan)  is  true, 

known (insecure, pa 8 sword, for, smith)  is  true, 

mail(evan8,root,655,bad(csclas8,evam8) )  is  true, 

mail (root, root , 942 , Captain  Flash  strikes  again!!!!)  is  true, 

mail (root, root , 8645, bad (cd, bin) )  is  true, 

mail (smith, root, 6029, bad (cd, bin) )  is  true, 

fo\md( file, cd, on, bac)cup, tape)  is  true, 

found(file,ls,on,bac]cup,tape)  is  true, 

compared(f ile, cd, for, Trojan  Hor8e,with, cd, on, backup, tape)  is  true, 
and  compared(f ile, Is, for, Trojan  Horse, with, Is , on, backup, tape)  is  true. 
Select  am  action:  change  password  for  graham 
You  chose  to  change  password  for  gradiam. 

OK,  but  a  hint :  "confront  user  doe" 
is  more  importamt  now  than  "change  password  for  graiham". 

************  These  facts  are  now  true:  ************* 
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password  root  is  changed, 
password  cracker  is  executed, 
backup  tape  is  loaded, 
backup  tape  is  located, 
changed (password, for, adams)  is  true, 
changed (password, for, fanner)  is  true, 
changed  (password,  for,  graJiam)  is  true, 
changed(permi88ion8, f ile,passwd)  is  true, 
checked(pormis8ion8, file, pas swd)  is  true, 
known (insecure,pa88word, for, adams)  is  true, 
known (insecure, pas sword, for, fanner)  is  true, 
known (insecure, password, for, graham)  is  true, 

]cnown( insecure, pas 8 word,  for,  smith)  is  true, 

mail (evans,root, 655,bad(cscla88, evans) )  is  true, 

niail  (root ,  root ,  942 ,  Captain  Flash  strikes  again!!!!)  is  true, 

mail (root, root, 8 645, bad (cd, bin) )  is  true, 

mail ( smith, root , 8029 , bad ( cd, bin) )  is  true, 

found (file, cd, on, backup, tape)  is  true, 

found (file, Is, on, backup, tape)  is  true, 

coinpared(file,cd,for,Troj2m  Horse, with, cd, on, backup, tape)  is  true, 
and  coirpared(file, Is, for, Trojan  Horse, with, Is, on, backup, tape)  is  true. 
Select  an  action:  confront  user  doe 
You  chose  to  confront  user  doe. 

OK. 

************  Tiiese  facts  are  now  true;  ************* 

password  root  is  changed, 

user  doe  is  confronted, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

changed (pas sword, for, adams)  is  true, 

changed (password, for, farmer)  is  true, 

changed (password, for, graham)  is  true, 

changed (permissions, file, pas swd)  is  true, 

checked (permissions, file, passwd)  is  true, 

known (insecure,pas8Word, for, adams)  is  true, 

known (insecure, pas sword, for, farmer)  is  true, 

)cnown( insecure, pa 8 8 word,  for,  graham)  is  true, 

known (insecure, pa 8 sword, for, smith)  is  true, 

mail (ev2ms, root, 655, bad ( csclass, evzms ) )  is  true, 

n^il (root , root , 942 , Captain  Flash  strikes  again!!!!}  is  true, 

mail (root, root, 8 64 5, bad (cd, bin) )  is  true, 

mail (smith, root, 8029, bad(cd, bin) )  is  true, 

found(file, cd, on, backup, tape)  is  true, 

found(file, Is, on, backup, tape)  is  true, 

compar6d(file,cd, for, Trojan  Horse, with, cd, on, backup, tape)  is  true, 
and  con^jared (file, Is , for , Trojan  Horse, with, Is , on, backup, tape )  is  true. 
Select  an  action:  change  password  for  smith 
You  chose  to  change  password  for  smith. 

OK,  but  a  hint:  -restore  modified  file  cd  from  backup- 
is  more  important  now  than  "chemge  password  for  smith-, 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  doe  is  confronted, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

changed (pas sword, for, adams)  is  true, 

changed (password, for, farmer)  is  true, 

changed (password, for, graham)  is  true, 

changed (password, for, smith)  is  true. 
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changed (permissions, file, pas 8wd)  is  true, 

checked(permissions, f ile,pas8wd)  is  true, 

known ( ins e cure, pas 8 word, for, adeuns)  is  true, 

known (insecure, pas sword, for, farmer)  is  true, 

known (insecure, password, for, graham)  is  true, 

known (insecure, pas sword, for, smith)  is  true, 

mail (evans, root, 655, bad (csclass, evens) )  is  true, 

mail (root, root, 9 4 2, Captain  Flash  strikes  againi ! ! ! )  is  true, 

mail ( root, root, 8 64 5, bad (cd, bin) )  is  true, 

mail (smith, root, 8 02 9, bad (cd, bin ) )  is  true, 

found(file, cd, on, backup, tape)  is  true, 

found (file, Is, on, backup, tape)  is  true, 

coznpared(file, cd, for, Trojan  Bor8e,with,cd, on, backup, tape)  is  true, 
and  con^ared( file, Is, for, Trojan  Horse, with, Is, on, backup, tape)  is  true. 
Select  an  action:  restore  modified  file  cd  from  backup 
You  chose  to  restore  modified  file  cd  from  backup. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  doe  is  confronted, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  cd  is  restored, 

changed (password, for, adams)  is  true, 

changed (password, for, farmer)  is  true, 

changed  (pas  sword,  for,  grahzan)  is  true, 

changed (password, for, smith)  is  true, 

changed ( permissions, file, pas swd)  is  true, 

checked (permissions, file, pas swd)  is  true, 

known (insecure, pas 8 word, for, adams)  is  true, 

known (insecure, pas 8 word, for, farmer)  is  true, 

known (insecure, pas sword, for, graham)  is  true, 

known (insecure, pas sword, for, smith)  is  true, 

mail (ev2ui8, root, 655, bad (c8class,evan8) )  is  true, 

mail (root, root, 9 4 2, Captain  Flash  strikes  again! !1!)  is  true, 

mail (root , root , 8645 , bad (cd, bin) )  is  true, 

mail (smith, root, 8029, bad(cd, bin) )  is  true, 

found(file, cd, on, backup, tape)  is  true, 

fo\jnd(file, Is, on, backup, tape]  is  true, 

conpared(file, cd, for, Trojem  Horse, with, cd, on, backup, tape)  is  true, 

and  coinpared(f ile.  Is, for,Trojem  Horse, with.  Is, on, backup, tape)  is  true. 

Select  an  action:  h 

Possible  actions  are: 

change  root  password, 

confront  user  _498410, 

execute  password  cracker, 

load  backup  tape, 

locate  backup  tape, 

store  backup  tape, 

change  password  for  _496436, 

change  pezmissions  file  passwd, 

check  permissions  file  _498448, 

examine  user  password  _498454, 

investigate  user  password  _498460, 

issue  _498464  new  user  password, 

remove  Trojan  Horse  from  _498474, 

restore  user  password  for  _498481, 

find  file  _498486  on  backup  tape, 

restore  deleted  file  _498495  from  backup, 

restore  modified  file  _498503  from  bac)cup. 
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restore  modified  file  passwd  from  backup, 

and  con^jare  file  _-d98518  for  Trojan  Horse  with  _498518  on  backup  tape. 

Possible  commands  to  the  tutor  are: 

help, 

exit, 

auditf ile, 
and  mail. 

Your  objectives  are: 

password  cracker  must  be  executed  and  baclcup  tape  must  be  stored. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  doe  is  confronted, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  cd  is  restored, 

changed  (pas  8  word,  for ,  adeuns )  is  true, 

changed (password, for, farmer)  is  true, 

changed  (password,  for,  grahaun)  is  true, 

changed (password, for, smith)  is  true, 

changed (permissions, file, passwd)  is  true, 

checked(permissions, file, passwd)  is  true, 

Icnown  (insecure,  pas  sword,  for,  adams)  is  true, 

known (insecure, pas sword, for, farmer)  is  true, 

known (insecure, pas sword, for, graham)  is  true, 

known (in8ecure,pas8word, for, smith)  is  true, 

mail (evans, root, 655,bad(cscla8s, evans) )  is  true, 

mail (root, root, 942, Captain  Flash  strikes  again!!!!)  is  true, 

n^il (root , root , 8645 , bad (cd, bin) )  is  true, 

mail (smith, root, 8029, bad (cd, bin) )  is  true, 

found ( file, cd, on, backup, tape)  is  true, 

found(f ile, la, on, backup, tape)  is  true, 

coir5)ared(file,cd,for, Trojan  Horse, with, cd, on, backup, tape)  is  true, 
and  conpared(file, Is, for, Trojan  Hor se, with, Is , on, backup, tape)  is  true. 
Select  an  action:  find  file  bb  on  backup  tape 
You  chose  to  find  file  bb  on  backup  tape* 

Have  you  confused  that  with  the  find  file  aa  on  backup  tape  action? 

OK,  but  a  hint:  "restore  deleted  file  aa  from  backup" 
is  more  iir^jortant  now  than  "restore  deleted  file  bb  from  backup". 
************  facts  are  now  true:  ************* 

password  root  is  changed, 
user  doe  is  confronted, 
password  cracker  is  executed, 
baclcup  tape  is  loaded, 
backup  tape  is  located, 
file  cd  is  restored, 
changed (password, for, adams)  is  true, 
changed (password, for, farmer)  is  true, 
changed  (password,  for,  graheun)  is  true, 
changed (password, for, smith)  is  true, 
changed (permissions, file, passwd)  is  true, 
checked (permissions, file, passwd)  is  true, 
known (insecure, pas sword, for, adams)  is  true, 
known(insecure,password, for, farmer)  is  true, 

)cnown( insecure, pa 8 sword,  for, graham)  is  true, 

known(in8ecure,password, for, smith)  is  true, 

mail (evans, root, 655, bad (csclass, evans ) )  is  true, 

mail (root , root, 942, Captain  Flash  strikes  again!!!!}  is  true, 

mail (root, root, 8645, bad (cd, bin) )  is  true, 

mail(smith,root,8029,bad(cd,bin) )  is  true, 

f ound(f ile, bb, on, backup, tape)  is  true. 
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f oimd ( f lie /Cd, on /backup /tape)  is  true/ 
found (file /Is /OH/ backup /tape)  is  true/ 

compared (f lie/ cd/ for /Trojan  Horso/With/Cd/ on/ backup/ tape)  is  true/ 

2Lnd  compared(file/ Is  /  for/ Trojan  Horse /With/ Is  /  on/ backup/ tape)  is  true. 
Select  an  action:  find  file  aa  on  backup  tape 
You  chose  to  find  file  aa  on  backup  tape. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed/ 

user  doe  is  confronted, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  cd  is  restored, 

changed  (password,  for,  adeons)  is  true, 

changed (password, for, fanner)  is  true, 

changed  (pas  sword,  for,  graheun)  is  true, 

changed (password, for, smith)  is  true, 

changed (permissions, file, pas swd)  is  true, 

checked (permissions, file, pas swd)  is  true, 

known (insecure, password, for, adams)  is  true, 

known (insecure, pas sword, for, farmer)  is  true, 

known (insecure, pas sword, for, graham)  is  true, 

known (insecure,password, for, smith)  is  true, 

mail(evan8,root, 655,bad(cscla88,evans) )  is  true, 

mail (root, root, 9 42, Captain  Flash  strikes  again!!!!)  is  true, 

mail (root, root, 8 64 5, bad (cd, bin) )  is  true, 

mail (smith, root, 8 02 9, bad (cd, bin) )  is  true, 

found(file,aa, on /backup, tape)  is  true, 

found(file,bb, on, backup, tape)  is  true, 

found(file,cd,on,bac)cup,tape)  is  true, 

found(file, Is, on, backup, tape)  is  true, 

coinpared(f  ile,  cd,  for,  Troj2m  Hor8e,with,cd, on, backup,  tape)  is  true, 
and  coiiipared(file.  Is,  for, Trojan  Hor se, with, Is , on /backup,  tape)  is  true. 
Select  an  action:  restore  deleted  file  aa  from  bac)cup 
You  chose  to  restore  deleted  file  aa  from  backup. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  doe  is  confronted, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

bac]mp  tape  is  located, 

file  aa  is  restored, 

file  cd  is  restored, 

changed  (password,  for,  ad2uas)  is  true, 

changed (password, for, farmer)  is  true, 

changed (password, for, graham)  is  true, 

changed (password, for, smith)  is  true, 

chemged (permissions, file, passwd)  is  true, 

checked (permissions, file, passwd)  is  true, 

known (insecure, pas 8 word, for, adams)  is  true, 

known (insecure, pas sword, for, farmer)  is  true, 

knowndnsecure/password, for, graham)  is  true, 

known (insecure, pas sword, for, smith)  is  true, 

mail (evans, root, 655, bad (csclass, evans) )  is  true, 

mail (root , root , 942 /Captain  Flash  strikes  again!!!!)  is  true, 

mail (root , root , 8645, bad (cd, bin) )  is  true, 

mail (smith, root, 8 02 9, bad (cd, bin) )  is  true, 

found(f ile, aa, on, backup, tape)  is  true, 

found(file,bb, on, backup, tape)  is  true. 
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found(file,cd, on, backup, tape)  is  true, 
found(file, Is, on, backup, tape)  is  true, 

coinpared(file, cd, for, Trojan  Horse,with,cd, on, backup, tape)  is  true, 
and  coinpared(filo.  Is,  for,  Trojan  Horse, with.  Is, on, backup,  tape)  is  true. 
Select  an  action:  restore  deleted  file  bb  from  backup 
You  chose  to  restore  deleted  file  bb  from  backup. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  chfimged, 

user  doe  is  confronted, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  aa  is  restored, 

file  bb  is  restored, 

file  cd  is  restored, 

changed  (password,  for ,  adauns )  is  true, 

changed (password, for, farmer)  is  true, 

changed (password, for, graham)  is  true, 

changed (password, for, smith)  is  true, 

changed ( permi s s ions, file, pass wd)  is  true, 

checked (permissions, file, pas swd)  is  true, 

known  (insecure,  pas  sword,  for,  adams)  is  true, 

3cnown(insecur6,password, for, farmer)  is  true, 

known(in8ecure,pa88word,for,grzdiam)  is  true, 

known (insecure, password, for, smith)  is  true, 

mail (evans , root , 655 , bad (cs class , evans ) )  is  true, 

mail (root, root, 942, Captain  Flash  strikes  again! •!! )  is  true, 

mail (root, root, 8645, bad (cd, bin) )  is  true, 

mail (smith, root, 8 02 9, bad (cd, bin ) )  is  true, 

found (file, aa, on, backup, tape)  is  true, 

f ound ( file , bb, on, backup, tape)  is  true, 

found(file, cd, on, backup, tape)  is  true, 

found (file, Is, on, backup, tape)  is  true, 

compared ( file,  cd,  for,  Trojan  Horse, with,  cd, on, bac)cup, tape )  is  true, 
and  coit5>ared (file, Is,  for, Trojan  Horse, with, Is, on, backup, tape)  is  true. 
Select  an  action:  store  bacJtup  tape 
You  chose  to  store  backup  tape. 

OK. 

Congratulations!  You  have  done  the  job. 

The  session  is  over.  Do  "go."  to  restart, 

yes 

I  7-  statistics. 


memory  (total) 

program  space 

2353632  bytes: 
1174772  bytes 

1305836  in  use. 

1047796 

free 

global  space 
global  stack 
trail 

system 

65532  bytes: 

26820  in  use, 
24692  bytes 

40  bytes 

2088  bytes 

38712 

free 

local  stack 
local  stack 
system 

65532  bytes: 

648  in  use, 
624  bytes 

24  bytes 

64884 

free 

0.000  OGC.  for  0  global  and  32  local  space  shifts 

0.233  sec.  for  1  garbage  collections  which  collected  1017792  bytes 
47.100  sec.  runtime 

yes 

I  7 -  halt . 


108 


TAB  3.  RUN  3 


The  following  is  the  audit  file  used  for  Run  3: 


audit(jones,  1680,none,  ’login  Jones  ’  ,ok). 
auditQones, 1681  Jones, ’cd~smith’,ok). 
auditOones,  1716,smith4s,ok). 
audit0ones,1818,sniith,’login  smith’,ok). 
audit{sniith,2368,smith,’einacs  tmpl434’,344). 
audit(smith,3000,smith,’einacs  tmpl435’,362). 
audit(evans,32874ione,’login  evans’.ok). 
audit(evans,3303,evans,’cd~root/bin’,ok). 
audit(evans,333 1 ,bin,ls,ok). 
audit(evans,3440,bin,’cd  -adams’.ok). 
audit(evans,3452,adams,’cd  -graham’, ok). 
audit(smith,3465,smith,’emacs  tmpl436’,405). 
audit(evans,3469,graham,ls,ok). 
audit(smith,3473,smith,logout,ok). 
audit(uri,3550,none,’login  uri’,ok). 
audit(uri,3561,uri,’cd  ~adams’,ok). 
audit(uri,3569,adams,’cd  ~root4>in’,ok). 
audit(uri,3602,bin4s,ok). 
audit(uri,3609,bin,’cd  -adams’,ok). 
audit(uri,3626,adams,’cd  -root’,ok). 
audit(evans,3627,graham,’login  gr^am’,ok). 
audit(uri,3634,root,ls,fail). 
audit(uri,3646,root,ls,fail). 
audit(uri,3677,root,ls,fail). 
audit(uri,3680,root,ls,ok). 
audi  t(uri,369 1  ,root,’login  root’  ,fail). 
audit(uri,3699,root,’ login  root’  ,fail). 
audit(uri,3704,root,’loginroot’,fail). 
audit(uri,3705,root,’loginroot’,fail). 
audit(uri,3708,root,’loginroot’,fail). 
audit(uri,37224-oot,’login  root’  ,fail). 
audit(uri,37354’00t,’loginroot’,ok). 
audit(root,37554'oot,’cd  etc’,ok). 

audit(root,3796,etc,’cp  passwd  ~smith/dont_dare_look_at_this’,ok). 

audit(dog,3890,none,’login  dog’4ail). 

audit(dog,3897,none,’login  dog’4ail). 

audit(dog,3900,none,’login  dog’,fail). 

audit(dog,3908,none,’login  dog’Jail). 

audi t(dog,3  9 1 8,none,’  login  dog  ’  /ail). 

audit(dog,3924,none,’login  dog’,fail). 

audit(dog,3934,none,’logindog’,fail). 

audit(dog,3940,none,’login  dog’.ok). 

audit(dog,3941,dog,su,fail). 

audit(dog,3948,dog,su,fail). 

audit(farmer,3954,none,’login  farmer’/ail). 

audit(dog,3955,dog,su,fail). 

audit(dog,3958,dog,su/ail). 

audit(faimer,3966,none,’login  farmer’,fail). 

audit(dog,397  l,dog,su/ail). 

audit(fanner,3974,none,’login  farmer’/ail). 

audit(root,3974,etc,’mail  root’, ’Captain  Flash  strikes  again!!!!’). 

audit(root,3978,etc4ogout,ok). 

audit(dog,3985,dog,su,fail). 

audit(farmer,3985,none,’login  farmer’,ok). 
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audit(farmer,3990,farmer,su,fail). 

audit(dog,3994,dog,su,fail). 

audit(dog,3995,dog,su/aiJ). 

audit(fanner,3996,farmer,su,fail). 

audit(dog,4014,dog,su,fail). 

audit(faTmer,4015,fanner,su,fail). 

audit(farmer,4026,farmer,su,fail). 

audit(fanner,4028,fanner,su,fail). 

audit(farmer,4032, farmer, su, fail). 

audit(dog,4034,dog,su,fail) . 

audit(farmer,4039,farmer,su/ail). 

audit(dog,4047,dog,su/ail). 

audit(farmer,4056, farmer, su,ok). 

audit(farmer,4057,farmer,’cd  ~adams’,ok). 

audit(dog,4060,dog,su4^ail). 

audit(farmer,4064,adams,ls,ok). 

audit(dog,4077,dog,su/ail). 

audit(dog,4082,dog,su,fail). 

audit(faTmer,4083 ,adams,  ’cd  -dog  ’  ,ok). 

audit(dog  ,4093,dog,su/ail) . 

audit(graham,4{)98,graham,’emacs  importantM0444). 

audit(graham,4099,graham,logout,ok). 

audit(farmer,4 105  ,dog,ls,ok). 

audit(dog,4 1 08,dog,su,fail). 

audit(dog,4 1 19,dog,su,fail). 

audit(faTmer,4123,dog,’cd~adams’,ok). 

audit(dog,4133,dog,su,fail). 

audit(farmer,4 1 37,adams, ’cd  ~tom/ba’,ok). 

audit(farmer,4144,ba,’cd  ~farmer’,ok). 

audit(dog,4150,dog,su,fail). 

audit(farmer,4 152,farmer,ls,fail). 

audit(dog,4 166,dog,su/ail). 

audit(dog,4 170,dog,su/ail). 

auditfdog  ,4 1 82,dog,su,fail). 

audit(faimer,4 1 84,farmer,ls,ok). 

audit(dog,4 1 86,dog,su,fail). 

audit(dog  ,4 1 87,dog,su,fail) . 

audit(farmer,4 1 95  ,farmer,  ’cd  -graham  ’  ,ok). 

auditfdog  ,4202,dog,su,fail) . 

audit(farmer,4210,graham,ls,ok). 

audi t(davis,42 1 3  ,none,  ’login  davis  ’  ,ok). 

audit(dog,4214,dog,su,fail). 

audit(farmer,4217,graham,’cd-root’,ok). 

audit(dog,4220,dog,su,fail). 

audit(dog,4230,dog,su,fail). 

audit(farmer,4232,root4s,ok). 

audit(farmer,4234,root,’cd  -adams’,ok). 

audit(dog,4242,dog,su,fail). 

audit(farmer,4252,adams,  ’cat  auxa’  ,ok) . 

audit(dog,4258,dog,su,fail). 

audit(dog,4260,dog,su,ok). 

audit(dog,4271,dog,’cd  -root/bin’,ok). 

audit(dog,4287,bin,ls,fail). 

audit(dog,43 10,bin,ls,ok). 

audit(dog,4330,bin,’cd  -root’,ok). 

audit(dog,4354joot,ls,ok). 

audit(dog,43674'oot,’cd  -adams’,ok). 

audi t(dog, 4381  ,adams, ’ cd  -root/bin ’  ,ok) . 

audit(farmer,44 1 2,adams, ’cat  auxb’ ,ok). 

audit(davis,4490,davis,’emacs  goodnews’,1258). 

audit(davis,4490,davis,logout,ok). 
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audit(farmer,4494,adams,’cat  auxc’  ,ok). 
audit(dog,4558,dog,’cd  -tom  ’,ok). 
audit(dog,4558,none,’login  dog’, ok). 
audit(fanner,4710,adams,’cat  dirad^s’,ok). 
audit(fanner,4719,adams,’cd  ~tom/ba’,ok). 
audit(fanner, 4720, ba,’cd -root/bin’, ok). 
audit(famier,4738,bin,’cd  -graham’,ok). 
audit(dog,4766,tom,’emacsbb’,540). 
audit(fanner,4836,graham,’cat  important’  ,ok). 
audit(farmer,4849 ,graham,’cd  -farmer  ’  ,ok). 
audit(dog,4895,bin,’emacscd’,5075). 
audit(dog,4906,tom,’mailroot’,bad(bb,tom)). 
audit(dog,4909,tom4ogout,ok). 
audit(farmer,5002,farmer,’cat  secrets’,ok). 
audit(famier,5005 ,fanner,Iogout,ok). 
audit(root,5006,none,’login  root’ /ail). 
audit(root,5010,none,’loginroot’4ail). 
audit(root,50144ione,’login  root’ /ail). 
audit(root,5016jione,’login  root’ /ail). 
audit(root,5021jione,’loginroot’,fail). 
audit(root,50304ione,’loginroot’,ok). 
audit(root,50454'oot,’cd  -rool/bin’,ok). 
audit(root,505 1  ,bin4s/ail). 
audit(root,507 1 ,bin4s,ok). 
audit(root,5079,bin,’cd  ~adams’,ok). 
audit(root,50944dams,’cd  -tom/ba’,ok). 
audit(root,5096,ba,’cd  -evans/csclass’,ok). 
audit(root,5 108,csclass,’cd  -davis’,ok). 
audit(root,5 128,davis,’cd  -adams/diradams’,ok). 
audit(root,5 143,diradams,’cd  -doe’,ok). 
audit(root,5 147,doe.’cd  -dog  ’  ,ok). 
audit(root,5 186,dog4s,fail). 
audit(root,5214,dog,ls,fail). 
audit(root,5246,dog,Is,ok). 
audit(root,5249,dog,’cd-adams’,ok). 
audit(root,5257,adams,’cd -tom/ba’ ,ok). 
audit(brown,527  l,none,’login  brown’,ok). 
audit(brown,5275,brown,’cd-adams’,ok). 
audit(root,5275,ba,’cd  -tom’,ok). 
audit(root,5276,tom,ls,ok). 
audit(root,5284,tom,’cd  -adams’,ok). 
audit(dog,5289,bin,’emacs  Is’ ,2120). 
audit(root,52943dams,’cd  -tom/ba’  ,ok). 
audit(root,53 10,ba,’cd  -root/bin’,ok). 
audit(root,53 1  l,bin,’cd  ~evans/csclass’,ok). 
audit(brown,53 13,adams,ls,ok). 
audit(root,5322,csclass,’cd  ~uri’,ok). 
audit(root,5335,uri,ls,ok). 
audit(root,5344,uri,’cd  -adams’.ok). 
audit(root,5355,adams,’cd-tom/ba’,ok). 
audit(jones,5359,none,’login  jones’,ok). 
audit(root,5371,ba,’cd-root/bin’,ok). 
audit(root,5374,bin,’cd  -tom’.ok). 
audit(jones,5377Jones,’cd-doe’,ok). 
audit(jones,5386,doe,ls,ok). 
audit(root,5394,tom,’rm  *’,ok). 
audit(root,5417,tom,’mail  tom’.’Haha  ful’). 
audit{root,54 19,tom4ogout,ok). 
audit(jones,5435.doe,’mail  root’,bad(cd,bin)). 
audit(brown.5455,adams.’mail  root’,bad(cd.bin)). 
audit(brown.5456,adams,’login  adams’,ok). 
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audit(adams,5469,adams,’cd  diradams’,ok). 
audit(adams,5669,diradams,’emacs  auxbM  354). 
audit(adams,5709,diradanis,’mailroot’,bad(cd,bin)). 
audit(jones,5798,doe,’einacsbigpaper’;29935). 
audit(jones,5798,doe,logout,ok). 
audit(davis,594 1  ,none,  ’login  davis  ’/ail). 
audit(davis,5941jione,’login  davis’,ok). 
audit(davis,5963,davis,’emacs  topsecret’,1572). 
audit(davis,5970,davis,logout,ok). 
audit(dog,6085,bin,’emacs  please_run_me’^2914). 
audit(dog,6088,bin, logout, ok). 
audit(dog,6099,bin, ’login  dog’/ail). 
audit(dog,6101, bin, ’login  dog’/ail). 
audit(dog,6103,bin,’login  dog’,fail). 
audit(dog,61 1 0,bin,  ’login  dog’  ,fail). 
audit(dog,6112,bin,’login  dog’,fail). 
audit(dog,6113,bin,’login  dog’,fail). 
audit(dog,6 1 25,bin,  ’login  dog  ’  ,fail). 
audit(dog,6128, bin, ’login  dog’,failX 
audit(dog,6139,bin,’login  dog’/ail). 
audit(dog,6153,bin,’login  dog’/ail). 
audit(dog,6 1 60,bin, ’login  dog ’ ,fail). 
audit(dog,6172,bin,’login  dog’/ail). 
audit(dog,6173,bin,’login  dog’,fail). 
audit(dog,6184,bin,’login  dog’,fail). 
audit(dog,6196,bin,’login  dog’/ail). 
audit(dog,6199,bin,’login  dog’,ok). 
audit(dog,6216,dog,’cd~adams’,ok). 
audit(dog,6234,adams,’cd  ~tom/ba’,ok). 
audit(dog,6237,ba,’cd  ~root/bin’,ok). 
audit(adanis,6266,diradams,’emacsauxc’,5060). 
audit(adanis,6268,diradams,logout,ok). 
audit(dog,6397,bin,’emacs  please_run_nie’,229 14). 
audi  t(dog  ,6403 ,bin , logout , ok). 
audit(evans,6867,none,’login  evans’,ok). 
audit(evans,6956,evans,’eniacs  csclass’,519). 
audit(evans,6962,evans,logout,ok). 
audit(grahani,8088,none,  ’login  graham  ’  ,ok). 
audit(graham, 8098, graham ,  ’cd  -tom  ’  ,ok). 
audi  t(graham,8 1 2 1  ,tom  ,ls,okX 
audit(graham,8266.tom,’mailroot’,bad(cd,bin)). 
audit(graham,8855,tom,’emacsaa’,549i 
audit(graham,8858,tom,logout,ok). 


The  following  is  the  script  of  Run  3: 


Script  started  on  Wed  Mar  15  22:45x04  1995 
•  alias:  No  such,  file  or  directory* 

[7inai2  :  /us er s /wor )c4/schiavo/The sis/ Tutor >>  [n^^rolog 


Quintus  Prolog  Release  3.1.1  (S\in~4,  S\inOS  4.0) 

Copyright  (C)  1990,  Quintus  Corporation.  All  rights  reserved. 

2100  Geng  Road,  Palo  Alto,  California  U.S.A.  (415)  813-3800 

I  7-  [intruder] . 

%  con?>lling  file  /tmp_iimt/U8or8/wor)c4/8chiavo/Tho8iB/Tutor/intnidor .pi 
%  conpiling  file  /tii?)_nmt/u8erB/work4/8chiavo/The8l8/Tutor/inetutor30.pl 

%  Undefined  proceduree  will  just  fail  ('fail'  option) 
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%  loading  file  /usr/local/g3 , 1. l/generic/qplib3 . 1 . 1/library/random. qof 
%  foreign  file  /usr/local/q3 , 1. 1 /generic /qplib3 . 1. l/library/flun4 -4 /libpl. so  loaded 
%  r^mdom.qof  loaded,  0.117  sec  9,392  bytes 
%  module  random  imported  into  user 

*  Clauses  for  writofact/2  are  not  together  in  the  source  file 

%  metutor30.pl  compiled  in  module  user,  3.150  sec  50,420  bytes 
%  con5>iling  file  /tmp_mnt/user8/work4/schiavo/Thesis/Tutor/inodrowe6 
%  modrowe6  conpiled  in  module  user,  0.733  sec  16,388  bytes 
%  compiling  file  /tmp_mnt /users /work4/schiavo/Thesis/Tutor/filetree 
%  filetree  compiled  in  module  user,  0.433  sec  5,296  bytes 
%  compiling  file  /tmp__mnt /users /work4/schiavo/Tho8 is /Tutor /rules 

*  Clauses  for  behavior/ 5  are  not  together  in  the  source  file 

*  Clauses  for  behavior /4  are  not  together  in  the  source  file 
%  rules  compiled  in  module  user,  0*633  sec  7,440  bytes 

%  compiling  file  /tmp_mnt /users /work4/8chiavo/Thes is /Tutor /rowefiles 
%  rowefiles  compiled  in  module  user,  0.100  sec  4,304  bytes 
%  compiling  file  /tmp_mnt /users /work4/8chiavo/Thesis /Tutor /operators 

*  Clauses  for  recommended/3  are  not  together  in  the  source  file 

*  Clauses  for  recommended/2  are  not  together  in  the  source  file 

*  Clauses  for  addpost condition/2  are  not  together  in  the  source  file 
%  operators  compiled  in  module  user,  0.584  sec  8,348  bytes 

%  intruder.pl  compiled  in  module  user,  6.383  sec  103,092  bytes 

yes 

1  ?-  statistics . 


lory  (total) 

649696  bytes: 

466728  in  use. 

182968  free 

program  space 

335664  bytes 

global  space 

65532  bytes: 

26688  in  use. 

38844  free 

global  stack 

24584  bytes 

trail 

16  bytes 

system 

2088  bytes 

local  stack 

65532  bytes: 

440  in  use. 

65092  free 

local  stack 

416  bytes 

system 

24  bytes 

0.017  sec.  for  0  global  and  3  local  space  shifts 

0.000  sec.  for  0  garbage  collections  which  collected  0  bytes 

6.733  sec.  runtime 

yes 

I  7-  Start. 


AUDIT  FILE 

The  following  displays  the  current  contents  of  the  audit  file: 


Name 

Time 

Path 

Comma  nd 

Result 

adams 

5469 

adams 

cd  diradams 

ok 

adams 

5669 

diradams 

emacs  aiizb 

1354 

adams 

5709 

diradams 

mail  root 

bad (cd, bln) 

adams 

6266 

diradams 

emacs  auxc 

5060 

adams 

6268 

diradams 

logout 

ok 

brown 

5271 

none 

login  brown 

ok 

brown 

5275 

brown 

cd  -adams 

ok 

113 


brown 

5313 

adams 

brown 

5455 

adauns 

brown 

5456 

adeuas 

da  vis 

4213 

none 

davis 

4490 

davis 

davis 

4490 

davis 

davis 

5941 

none 

davis 

5941 

none 

davis 

5963 

davis 

davis 

5970 

davis 

dog 

3890 

none 

dog 

3897 

none 

dog 

3900 

none 

dog 

3908 

none 

dog 

3918 

none 

dog 

3924 

none 

dog 

3934 

none 

dog 

3940 

none 

dog 

3941 

dog 

3948 

dog 

dog 

3955 

dog 

dog 

3958 

dog 

dog 

3971 

dog 

dog 

3985 

dog 

dog 

3994 

dog 

dog 

3995 

dog 

dog 

4014 

dog 

dog 

4034 

dog 

dog 

4047 

dog 

dog 

4060 

dog 

dog 

4077 

dog 

dog 

4082 

dog 

dog 

4093 

dog 

dog 

4108 

dog 

dog 

4119 

dog 

dog 

4133 

dog 

dog 

4150 

dog 

dog 

4166 

dog 

dog 

4170 

dog 

dog 

4182 

dog 

dog 

4186 

dog 

dog 

4187 

dog 

dog 

4202 

dog 

dog 

4214 

dog 

dog 

4220 

dog 

dog 

4230 

dog 

dog 

4242 

dog 

dog 

4258 

dog 

dog 

4260 

dog 

dog 

4271 

dog 

4287 

bin 

dog 

4310 

bin 

dog 

4330 

bin 

dog 

4354 

root 

dog 

4367 

root 

dog 

4381 

adams 

dog 

4558 

dog 

4558 

none 

dog 

4766 

tom 

dog 

4895 

bin 

<^og 

4906 

tom 

Is 

ok 

mail  root 

bad  (cd,  bln) 

login  adams 

ok 

login  davis 

ok 

emacs  goodnews 

1258 

logout 

ok 

login  davis 

fail 

login  davis 

ok 

emacs  topsecret 

1572 

logout 

ok 

login  dog 

fail 

login  dog 

fail 

login  dog 

fail 

login  dog 

fail 

login  dog 

fail 

login  dog 

fail 

login  dog 

fail 

login  dog 

ok 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fall 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

fail 

su 

ok 

cd  -root /bin 

ok 

Is 

fail 

Is 

ok 

cd  -root 

ok 

Is 

ok 

cd  -adeuns 

ok 

cd  -root /bin 

ok 

cd  -tom 

ok 

login  dog 

ok 

emacs  bb 

540 

emacs  cd 

5075 

mail  root 

bad(bb, tom) 
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dog 

4909 

tom 

logout 

ok 

dog 

5289 

bin 

emacs  Is 

2120 

dog 

6085 

bin  emacs 

p  1  e  a  8  e_run_me 

22914 

dog 

6088 

bin 

logout 

ok 

dog 

6099 

bin 

login  dog 

fail 

dog 

6101 

bin 

login  dog 

fail 

dog 

6103 

bin 

login  dog 

fail 

dog 

6110 

bin 

login  dog 

fail 

dog 

6112 

bin 

login  dog 

fail 

dog 

6113 

bin 

login  dog 

fall 

dog 

6125 

bin 

login  dog 

fail 

dog 

6128 

bin 

login  dog 

fail 

dog 

6139 

bin 

login  dog 

fail 

dog 

6153 

bin 

login  dog 

fail 

dog 

6160 

bin 

login  dog 

fail 

dog 

6172 

bin 

login  dog 

fail 

dog 

6173 

bin 

login  dog 

fail 

dog 

6184 

bin 

login  dog 

fail 

dog 

6196 

bin 

login  dog 

fail 

dog 

6199 

bin 

login  dog 

ok 

dog 

6216 

dog 

cd  '-adauas 

ok 

dog 

6234 

adams 

cd  -tom/ba 

ok 

dog 

6237 

ba 

cd  -root /bin 

ok 

dog 

6397 

bin  emacs 

pleas  e_run_me 

22914 

dog 

6403 

bin 

logout 

ok 

evans 

3287 

none 

login  evams 

ok 

evazis 

3303 

evans 

cd  -root /bin 

ok 

evans 

3331 

bin 

Is 

ok 

evans 

3440 

bin 

cd  -adauns 

ok 

evans 

3452 

adaons 

cd  -gradiam 

ok 

evans 

3469 

grahaun 

Is 

ok 

evans 

3627 

graham 

login  graham 

ok 

evams 

6867 

none 

login  evans 

ok 

evans 

6956 

evans 

emacs  csclass 

519 

evams 

6962 

evans 

logout 

ok 

fanner 

3954 

none 

login  farmer 

fail 

farmer 

3966 

none 

login  farmer 

fail 

farmer 

3974 

none 

login  farmer 

fail 

farmer 

3985 

none 

login  farmer 

ok 

farmer 

3990 

farmer 

su 

fail 

farmer 

3996 

farmer 

8U 

fail 

farmer 

4015 

farmer 

SU 

fail 

farmer 

4026 

farmer 

SU 

fail 

farmer 

4028 

farmer 

SU 

fail 

farmer 

4032 

farmer 

SU 

fail 

farmer 

4039 

farmer 

su 

fall 

farmer 

4056 

farmer 

su 

ok 

farmer 

4057 

farmer 

cd  —adauns 

ok 

farmer 

4064 

adams 

Is 

ok 

farmer 

4083 

adams 

cd  -dog 

ok 

farmer 

4105 

dog 

Is 

ok 

farmer 

4123 

dog 

cd  -adauns 

ok 

farmer 

4137 

adams 

cd  -tom/ba 

ok 

farmer 

4144 

ba 

cd  -farmer 

ok 

farmer 

4152 

farmer 

Is 

fail 

farmer 

4184 

farmer 

Is 

ok 

farmer 

4195 

farmer 

cd  -grabam 

ok 

farmer 

4210 

grahaun 

Is 

ok 

farmer 

4217 

grahaon 

cd  -root 

ok 

farmer 

4232 

root 

Is 

ok 

farmer 

4234 

root 

cd  -adams 

ok 
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farmer 

4252 

adams 

cat  auxa 

ok 

farmer 

4412 

adams 

cat  auxb 

ok 

farmer 

4494 

adeuns 

cat  auxc 

ok 

farmer 

4710 

ad2uns 

cat  diradams 

ok 

farmer 

4719 

adauns 

cd  -tom/ba 

ok 

farmer 

4720 

ba 

cd  -root /bin 

ok 

farmer 

4738 

bin 

cd  -graham 

ok 

farmer 

4836 

grahemi 

cat  important 

ok 

farmer 

4849 

graham 

cd  -farmer 

ok 

farmer 

5002 

farmer 

cat  secrets 

ok 

farmer 

5005 

farmer 

logout 

ok 

greiham 

4098 

graham 

emacs  important 

10444 

graheun 

4099 

graham 

logout 

ok 

graheun 

8088 

none 

login  graham 

ok 

gredieun 

8098 

graham 

cd  -tom 

ok 

greOiam 

8121 

tom 

Is 

ok 

graham 

8266 

tom 

mail  root 

bad (cd, bin) 

grediam 

8855 

tom 

emacs  aa 

549 

graham 

8858 

tom 

logout 

ok 

jones 

1680 

none 

login  jones 

ok 

jones 

1681 

jones 

cd  -smith 

ok 

jones 

1716 

smith 

Is 

ok 

jones 

1818 

smith 

login  smith 

ok 

jones 

5359 

none 

login  jones 

ok 

jones 

5377 

jones 

cd  -doe 

ok 

jones 

5386 

doe 

Is 

ok 

jones 

5435 

doe 

mail  root 

bad(cd,bin) 

jones 

5798 

doe 

emacs  bigpaper 

29935 

jones 

5798 

doe 

logout 

ok 

root 

3755 

root 

cd  etc 

ok 

root 

3796 

etccp  passwd  -smith/dont_dare 

L_look_at_this 

ok 

root 

3974 

etc 

mail  root 

Captain  Flash 

strikes 

root 

3978 

etc 

logout 

ok 

root 

5006 

none 

login  root 

fail 

root 

5010 

none 

login  root 

fail 

root 

5014 

none 

login  root 

fail 

root 

5016 

none 

login  root 

fail 

root 

5021 

none 

login  root 

fail 

root 

5030 

none 

login  root 

ok 

root 

5045 

root 

cd  -root /bin 

ok 

root 

5051 

bin 

Is 

fail 

root 

5071 

bin 

Is 

ok 

root 

5079 

bin 

cd  -adams 

ok 

root 

5094 

adams 

cd  -tom/ba 

ok 

root 

5096 

ba  cd 

-evans /csclass 

ok 

root 

5108 

csclass 

cd  -davis 

ok 

root 

5128 

davis  cd  -adeuns /diradauns 

ok 

root 

5143 

diradams 

cd  -doe 

ok 

root 

5147 

doe 

cd  -dog 

ok 

root 

5186 

dog 

Is 

fail 

root 

5214 

dog 

Is 

fail 

root 

5246 

dog 

Is 

ok 

root 

5249 

dog 

cd  -adams 

ok 

root 

5257 

adams 

cd  -tom/ba 

ok 

root 

5275 

ba 

cd  -tom 

ok 

root 

5276 

tom 

Is 

ok 

root 

5284 

tom 

cd  -adzuns 

ok 

root 

5294 

adams 

cd  -tom/ba 

ok 

root 

5310 

ba 

cd  -root /bin 

ok 

root 

5311 

bin  cd 

-evans /csclass 

ok 

root 

5322 

csclass 

cd  -uri 

ok 

root 

5335 

uri 

Is 

ok 

root 

5344 

uri 

cd  «>adams 

ok 

root 

5355 

adeons 

cd  -tom/ba 

ok 

root 

5371 

ba 

cd  -root /bin 

ok 

root 

5374 

bin 

cd  -tom 

ok 

root 

5394 

tom 

rm  * 

ok 

root 

5417 

tom 

mail  tom 

Haha  ful 

root 

5419 

tom 

logout 

ok 

smith 

2368 

smith 

emacs  tzEpl434 

344 

smith 

3000 

smith 

emacs  tii:pl435 

362 

smith 

3465 

smith 

emacs  tirpl436 

405 

smith 

3473 

smith 

logout 

ok 

uri 

3550 

none 

login  uri 

ok 

uri 

3561 

uri 

cd  -adams 

ok 

uri 

3569 

adams 

cd  -root /bin 

ok 

uri 

3602 

bin 

Is 

ok 

uri 

3609 

bin 

cd  -adams 

ok 

uri 

3626 

adams 

cd  -root 

ok 

uri 

3634 

root 

Is 

fail 

uri 

3646 

root 

Is 

fall 

uri 

3677 

root 

Is 

fail 

uri 

3680 

root 

Is 

ok 

uri 

3691 

root 

login  root 

fail 

uri 

3699 

root 

login  root 

fail 

uri 

3704 

root 

login  root 

fail 

uri 

3705 

root 

login  root 

fail 

uri 

3708 

root 

login  root 

fail 

uri 

3722 

root 

login  root 

fail 

uri 

3735 

root 

login  root 

ok 

MAIL  RECEIVED 

The  following  displays  mail  received  by  root; 


From 

To 

Time 

Problem (File , Directory) 

adams 

root 

5709 

bad (cd, bin) 

brown 

root 

5455 

bad (cd, bin) 

dog 

root 

4906 

bad  (bb,  tom) 

graham 

root 

8266 

bad (cd, bin) 

jones 

root 

5435 

bad (cd, bin) 

root 

root 

3974 

Captain  Flash  strikes  again! ! ! ! 

%  Undefined  procedures  will 
Warnings : 


This 

fact 

Is 

not 

removable : 

This 

fact 

is 

not 

removable : 

This 

fact 

is 

not 

removable ; 

This 

fact 

is 

not 

removable : 

This 

fact 

is 

not 

removable : 

This 

fact 

is 

not 

removedsle : 

This 

fact 

is 

not 

removable : 

This 

fact 

is 

not 

removeQ:>le : 

This 

fact 

is 

not 

removable : 

just  fail  ('fail'  option) 

changed (pas  sword / root ) 
confronted (user ,_14653 ) 
examined  (password, __14 5 87 ) 
executed (password, cracker) 
investigated (password, _14566) 
changed (password, f or , _14524 ) 
changed (permissions,file,_14 696) 
restored (password, for,_14632 ) 
issued ( new, pas  sword , to , _14  610) 
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Your  objectives: 

backup  tape  is  stored  and  password  cracker  is  executed. 
Wait  a  moment  while  I  emalyze  the  problem  thoroughly. 


*******1 


*  To  see  a  list  of  possible  actions,  type  the  letter  "h"  or  the  word  * 

*  "help."  To  review  the  audit  file  or  your  mail  at  anytime,  type  the  * 

*  word  "auditfile"  or  "mail"  respectively.  * 


Type  h  for  help. 

************  These  facts  are  now  true:  *^********.** 
backup  tape  is  stored, 

mail(adams,root, 5709, bad(cd, bin) )  is  true, 
maiKbrown, root, 5455, bad(cd,bin) )  is  true, 
maiKdog, root, 4906, bad(bb, tom)  )  is  true, 
mail (graham, root, 82 6 6, bad (cd, bin ) )  is  true, 
maiKjones, root, 5435, bad(cd,bin) )  is  true, 

and  mail (root, root, 3974, Captain  Flash  strikes  again! I  I ! )  is  true. 
Select  an  action:  ch2mge  root  password 
You  chose  to  change  root  password. 

OK,  but  a  hint:  "change  permissions  file  passwd" 
is  more  important  now  than  "change  root  password", 

*^**********  These  facts  are  now  true:  ♦**»****ik*.** 
password  root  is  changed, 
backup  tape  is  stored, 

mail(adams,root,5709,bad(cd,bin) )  is  true, 
mail (brown, root, 5455, bad(cd, bin) )  is  true, 
maiKdog, root, 4906, bad(bb, tom)  )  is  true, 
mail{graham,root,8266,bad(cd,bin) )  is  true, 
mail(jones,root,5435,bad(cd,bin) )  is  true, 

and  maiKroot, root, 3974, Captain  Flash  strikes  again!!!!)  is  true. 
Select  an  action:  check  permissions  file  passwd 
You  chose  to  check  permissions  file  passwd. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 
backup  tape  is  stored, 
checked (permissions, file, passwd)  is  true, 
mail(adams,root,5709,bad(cd,bin) )  is  true, 
mail (brown, root, 5455, bad(cd, bin) )  is  true, 
mail (dog, root, 4906, bad(bb, tom) )  is  true, 
mail(graham,root, 8266, bad(cd, bin) )  is  true, 
mail(jones,root,5435,bad(cd,bin) )  is  true, 

and  mail (root, root, 3 974, Captain  Flash  strikes  again!!!!)  is  true. 
Select  an  action:  change  permissions  file  passwd 
You  chose  to  change  permissions  file  passwd. 

OK. 

*****^******  These  facts  are  now  true:  ******1^ ****** 

password  root  is  changed, 

backup  tape  is  stored, 

changed (permissions, file, passwd)  is  true, 

checked (permissions, file, passwd)  is  true, 

maiKadams, root, 5709, bad(cd, bin)  )  is  true, 

mail (brown, root, 5455, bad(cd, bin) )  is  true, 

maiKdog, root, 4906, bad(bb, tom) )  is  true, 

maiKgraham,root,  8266, bad(cd, bin)  )  is  true, 

maiK jones, root, 5435, bad(cd, bin) )  is  true, 

and  mail (root , root , 3974 , Captain  Flash  strikes  again!!!!)  is  true. 
Select  an  action:  confront  user  dog 
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You  chose  to  confront  user  dog. 

OK,  but  a  hintt  "compare  file  cd  for  Trojem  Horse  with  cd  on  backup  tape" 
is  more  inqportant  now  than  "confront  user  dog". 

************  These  facts  are  now  true:  ************* 
password  root  is  changed, 
user  dog  is  confronted, 
backup  tape  is  stored, 

changed(permis8ions, file, pass wd)  is  true, 
checked (permissions, file, passwd)  is  true, 
mail (adams, root, 5709, bad(cd, bin) )  is  true, 
mail (brown, root, 5455, bad (cd, bin) )  is  true, 
mail (dog, root, 49 06, bad (bb, tom) )  is  true, 
mail (graham, root, 82 6 6, bad (cd, bin) )  is  true, 
mail ( j ones, root, 543 5, bad (cd, bin) )  is  true, 

and  maiKroot, root, 3974, Captain  Plash  strikes  again!!!!)  is  true. 

Select  an  action:  locate  backup  tape 
You  chose  to  locate  backup  tape. 

OK. 

************  These  facts  are  now  true:  ************* 
password  root  is  changed, 
user  dog  is  confronted, 
bac)cup  tape  is  located, 

changed (permissions, file, passwd)  is  true, 
checked (permissions, file, passwd)  is  true, 
mail (adams, root, 5709, bad (cd, bin) )  is  true, 
mail (brown, root, 5455, bad (cd, bin) )  is  true, 
mail (dog, root ,4906, bad (bb, tom) )  is  true, 
mail (graham, root, 62 6 6, bad (cd, bin) )  is  true, 
mail (jones, root, 5435, bad(cd, bin) )  is  true, 

and  mail (root, root, 3974, Captain  Flash  strikes  again! !!!)  is  true. 

Select  an  action:  load  bac)aip  tape 
You  chose  to  load  backup  tape. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  chzinged, 

user  dog  is  confronted, 

backup  tape  is  loaded, 

backup  tape  is  located, 

changed (permissions, file, passwd)  is  true, 
checked (permissions, file, passwd)  is  true, 
mail  (ad2ans,root,  5709,bad(cd,bin) )  is  true, 
mail (brown, root, 5455, bad (cd, bin) )  is  true, 
mail (dog, root , 4906, bad (bb, tom) )  is  true, 
mail (graham, root, 82 6 6, bad (cd, bin) )  is  true, 
mail (jones, root, 5435, bad(cd, bin) )  is  true, 

and  mail (root, root, 3 97 4, Captain  Flash  strikes  again!!!!)  is  true. 

Select  an  action:  find  file  cd  on  baclcup  tape 
You  chose  to  find  file  cd  on  backup  tape. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  dog  is  confronted, 

backup  tape  is  loaded, 

backup  tape  is  located, 

changed (permissions, file, passwd)  is  true, 

checked (permissions, file, passwd)  is  true, 

mail (adams, root, 57 09, bad (cd, bin) )  is  true, 

mail (brown, root , 5455 , bad (cd, bin) )  is  true, 

mail ( dog, root, 49 06, bad (bb, tom) )  is  true, 

mail (graham, root, 82 6 6, bad (cd, bin) )  is  true, 

mail (jones, root, 543 5, bad (cd, bin) )  is  true. 
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maiKroot, root, 3974, Captain  Flash  strikes  again!'!!)  is  true, 
and  found ( file , cd, on, backup, tape )  is  true. 

Select  an  action:  compare  file  cd  for  Trojan  Horse  with  cd  on  backup  tape 
You  chose  to  con^are  file  cd  for  Trojan  Horse  with  cd  on  backup  tape. 

OK. 

************  These  facts  are  now  true;  ************* 

password  root  is  chemged, 

user  dog  is  confronted, 

backup  tape  is  loaded, 

backup  tape  is  located, 

changed (permissions , file , pass wd)  is  true, 

checked (permissions, file, pas swd)  is  true, 

mail (adams, root, 5709, bad(cd, bin) )  is  true, 

mail (brown, root, 54 5 5, bad (cd, bin) )  is  true, 

maiKdog, root, 4906, bad(bb, tom)  )  is  true, 

mail (graham, root, 82 66, bad (cd, bin) )  is  true, 

mail (j ones, root, 543 5, bad (cd, bin) )  is  true, 

maiKroot, root, 3974, Captain  Flash  strikes  again!!!!)  is  true, 
found(file,cd, on, backup, tape)  is  true, 

and  coiiqpared(file,cd, for, Trojan  Horse, with, cd, on, backup, tape)  is  true. 
Select  an  action:  execute  password  cracker 
You  chose  to  execute  password  cracker. 

OK,  but  a  hint;  "compare  file  Is  for  Trojan  Horse  with  Is  on  backup  tape" 
is  more  important  now  th2in  "execute  password  cracker". 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  dog  is  confronted, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

changed (permissions, file, pas swd)  is  true, 

checked (permissions, file, pas swd)  is  true, 

known ( insecure, password, f or, _3 56277)  is  true, 

known ( insecure, pas sword, f or, _3 5 62 84)  is  true, 

known(insecure, password, for, _356291)  is  true, 

known (insecure, password, f or, _35629 8)  is  true, 

mail(adams,root, 5709,bad(cd,bin) )  is  true, 

mail (brown, root, 5455, bad (cd, bin) )  is  true, 

mail (dog, root, 4906, bad (bb, tom) )  is  true, 

mail (graham, root , 82 66 , bad ( cd, bin) )  is  true, 

mail (j ones, root, 543 5, bad (cd, bin) )  is  true, 

maiKroot, root, 3974, Captain  Flash  strikes  again!!!!)  is  true, 
found ( file, cd, on, backup, tape)  is  true, 

and  compared (file, cd, for, Trojan  Horse,with,cd, on, backup, tape)  is  true. 
Select  an  action:  find  file  Is  on  backup  tape 
You  chose  to  find  file  Is  on  backup  tape. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  dog  is  confronted, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

changed (permissions, file, passwd)  is  true, 

checked (permissions, file, passwd)  is  true, 

known (insecure, pas sword, for, adams)  is  true, 

known (insecure, pas sword, for, farmer)  is  true, 

known (insecure, pas sword, for, graham)  is  true, 

known (insecure, pas sword, for, smith)  is  true, 

mail (adams, root, 57 09, bad (cd, bin) )  is  true, 

mail (brown, root, 54 5 5, bad (cd, bin) )  is  true. 
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nwiil {dog,  root , 4906 , bad (bb,  tom)  )  is  true, 
mail (graham, root, 82 6 6, bad (cd, bin ) )  is  true, 
mail (j ones, root, 543 5, bad (cd, bin) )  is  true, 

mail (root, root, 3974, Captain  Flash  strikes  again! Ml)  is  true, 
found (file, cd, on, backup, tape)  is  true, 
found (file, Is, on, backup, tape)  is  true, 

and  con^ared(file, cd, for , Trojan  Horse, with, cd, on, backup, tape)  is  true. 
Select  an  action:  coir^are  file  Is  for  Trojan  Horse  with  Is  on  backup  tape 
You  chose  to  compare  file  Is  for  Trojan  Horse  with  Is  on  backup  tape. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  dog  is  confronted, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

changed (permissions, file, passwd)  is  true, 

checked (permissions, file, passwd)  is  true, 

known (insecure, pas sword, for, adams)  is  true, 

known(insecure,pa8SWord, for, farmer)  is  true, 

known  (insecure, password,  f  or,  graheun)  is  true, 

known (insecure, pas sword, for, smith)  is  true, 

mail (adams, root, 57 09, bad (cd, bin) )  is  true, 

mail (brown, root, 5455, bad (cd, bin) )  is  true, 

xaail (dog, root, 4906, bad (bb, tom)  )  is  true, 

mail { graham, root, 82 6 6, bad (cd, bin) )  is  true, 

mail (j ones, root, 54 3 5, bad (cd, bin) )  is  true, 

mail (root, root, 3 974, Cap tain  Flash  strikes  again!!!!)  is  true, 
foiind(file,cd, on, backup, tape)  is  true, 
found(file, Is, on, backup, tape)  is  true, 

coii^ared(file,cd, for, Trojan  Horse,with,cd, on, backup, tape)  is  true, 
and  coinpared(file, Is, for, Trojan  Horse, with, Is, on, backup, tape)  is  true. 
Select  an  action:  examine  user  password  dog 
You  chose  to  ex2uiLlne  user  password  dog. 

Have  you  confused  that  with  the  investigate  user  password  dog  action? 

Your  action  xs  not  what  J  would  choose,  but  let  us  try  it. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  dog  is  confronted, 

password  dog  is  examined, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

changed (permissions, file, passwd)  is  true, 

checked (permissions , file, passwd)  is  true, 

)cnown(  insecure,  pas  a  word,  for,  adams)  is  true, 

)cnown( insecure, pa 8 8 word,  for, farmer)  is  true, 
known  ( ins  e  cure,  pas  sword,  for,  gr^dl^un)  is  true, 
known (insecure, pas 8 word, for, smith)  is  true, 
mail(adeuns,root,5709,bad(cd,bin) )  is  true, 
mail (brown, root, 5455, bad (cd, bin) )  is  true, 
mail (dog, root, 4906, bad(bb, tom) )  is  true, 
niail  (graheun,  root ,  8266 , bad  (cd, bin) )  is  true, 
mail (jones, root, 5435, bad(cd, bin) )  is  true, 

mail (root, root , 3 97 4, Captain  Flash  strikes  again! 11!)  is  true, 
found(file,cd, on, backup, tape)  is  true, 
found (file, Is, on, backup, tape)  is  true, 

compared(f ile,cd,for,Trojem  Hor so, with, cd, on, backup, tape)  is  true, 
and  coiEpared(filo, Is, for, Trojan  Hor8e,with, ls,on,bac)cup, tape)  is  true. 
Select  an  action:  investigate  user  password  dog 
You  chose  to  investigate  user  password  dog. 
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OK. 

************  facta  are  now  true:  ************* 

password  root  is  changed, 

user  dog  is  confronted, 

password  dog  is  examined, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

changed (permissions, file, pas swd)  is  true, 

checked (permissions, file, passwd)  is  true, 

investigated (user, pas sword, dog)  is  true, 

)cnown(insecure,pa88word,for,adams)  is  true, 

laiown(insecuro,pa8BWord, for, farmer)  is  true, 

known  (insecure,  pas  8  word,  for,  graham)  is  true, 

known(insecure,password, for, smith)  is  true, 

mail  (adcims,  root,  5709,bad(cd,bin) )  is  true, 

maiKbrown, root, 5455, bad{cd, bin) )  is  true, 

DMiil (dog, root, 4906, bad (bb, tom) )  is  true, 
mail(gredi2un,root,  8266,bad(cd,bin)  )  is  true, 
mail (j ones, root , 543 5, bad (cd, bin) )  is  true, 

mail (root, root, 3 974, Captain  Flash  strikes  again!!!!)  is  true, 
found(file,cd, on, backup, tape)  is  true, 
found (file, Is, on, backup, tape)  is  true, 

compared ( file, cd, for, Trojan  Horse, with, cd, on, backup, tape)  is  true, 
and  coEDpared(filo,l8,for,Troj2m  Hor se, with, Is , on, backup, tape)  is  true. 
Select  an  action:  change  password  for  adams 
You  chose  to  change  password  for  adaons . 

OK,  but  a  hint:  "restore  modified  file  bb  from  backup" 
is  more  inportant  now  than  "chainge  password  for  adams". 

************  These  facts  are  now  true:  ************* 

password  root  is  chamged, 

user  dog  is  confronted, 

password  dog  is  examined, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

changed (password, for, adams)  is  true, 

changed (permissions, file, passwd)  is  true, 

checked (permissions, file, passwd)  is  true, 

investigated (user, password, dog)  is  true, 

)cnown(  insecure,  pas  sword,  for,  adams)  is  true, 
known (in8ocuro,pas8word, for, farmer)  is  true, 
known ( ins e cure, pa 8 sword,  for, grahaun)  is  true, 
known (insecure, pas sword, for, smith)  is  true, 
mail (adams, root, 57 09, bad (cd, bin) )  is  true, 
mail(brown,root, 5455, bad(cd, bin) )  is  true, 
mail (dog, root, 4906, bad (bb, tom) )  is  true, 
mail (graham, root, 82 66, bad (cd, bin) )  is  true, 
mail (j ones , root , 543 5, bad (cd, bin) )  is  true, 

maiKroot, root, 3974, Captain  Flash  strikes  again!!!!)  is  true, 
found(f ile, cd, on, backup, tape)  is  true, 
found(file, Is, on, backup, tape)  is  true, 

compared ( file , cd, for , Trojan  Horse , with, cd, on, backup, tape )  is  true, 
and  conpared( file, Is, for, Trojan  Horse, with, Is , on, backup, tape)  is  true. 
Select  an  action:  find  file  bb  on  backup  tape 
You  chose  to  find  file  bb  on  backup  tape. 

OK. 

************  Those  facts  are  now  true:  ************* 

password  root  is  changed, 
user  dog  is  confronted, 
password  dog  is  examined. 
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password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

changed (password, for, adams)  is  true, 

changedCpermissions, f ile,pas8wd)  is  true, 

che eked ( permi a s ions, file, pass wd)  is  true, 

investigated (user, pas sword, dog)  is  true, 

)cnown(  insecure,  pas  sword,  for,  adams)  is  true, 
known (insecure, pas 8 word, for, farmer)  is  true, 
known (insecure, password, for, graham)  is  true, 
known (insecure, password, for, smith)  is  true, 
mail (adams, root, 57 09, bad (cd, bin) )  is  true, 
mail (brown, root, 54 5 5, bad (cd, bin) )  is  true, 
mail (dog, root, 4906, bad (bb, tom) )  is  true, 
mail (graham, root, 82 6 6, bad (cd, bin) )  is  true, 
mail( jones, root, 5435, bad (cd, bin) )  is  true, 

mail (root , root ,3974, Captain  Flash  strikes  again!!!!)  is  true, 
found(file,bb, on, backup, tape)  is  true, 
found(file,cd, on, backup, tape)  is  true, 
found (file, Is, on, backup, tape)  is  true, 

cozi^ared(file,cd,  for, Trojan  Horse, with,  cd, on, backup,  tape)  is  true, 
and  coii5>ared(file, Is, for, Trojan  Horse,with, ls,on,bac)cup, tape)  is  true. 
Select  an  action:  restore  modified  file  bb  from  backup 
You  chose  to  restore  modified  file  bb  from  backup. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  chemged, 

user  dog  is  confronted, 

password  dog  is  examined, 

password  cracker  is  executed, 

bac)cup  tape  is  loaded, 

bac)cup  tape  is  located, 

file  bb  is  restored, 

changed (password, for, adams)  is  true, 
chemged (perzoissions,  file, passwd)  is  true, 
checked (permissions, file, passwd)  is  true, 
investigated (user, pas 8 word, dog)  is  true, 
known (in8ecure,pa8sword, for, adams)  is  true, 
known (insecure, pas sword, for, farmer)  is  true, 
known (insecure, pas sword, for, graham)  is  true, 

)tnown( insecure, pa 8 sword, for, smith)  is  true, 
mail (adams, root, 5709 ,bad(cd, bin) )  is  true, 
mail (brown, root , 5455, bad (cd, bin) )  is  true, 
mail (dog, root , 49 06, bad (bb, tom) )  is  true, 
mail (graham, root, 82 6 6, bad (cd, bin) )  is  true, 
mail (jones, root , 543 5, bad (cd, bin) )  is  true, 

mail (root, root ,3 974, Captain  Flash  strikes  again!!!!)  is  true, 
found(f ile,bb,on,bac}cup, tape)  is  true, 
fo\ind (file, cd, on, backup, tape)  is  true, 
found(f  ile,  l8,on,bac]cup,tape)  is  true, 

compared(file, cd, for, Trojan  Horse, with, cd, on, backup, tape)  is  true, 
and  coiiqpared(f ile, Is,  for,Trojem  Hor se, with, Is , on, backup,  tape)  is  true. 
Select  an  action:  restore  modified  file  cd  from  backup 
You  chose  to  restore  modified  file  cd  from  backup. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 
user  dog  is  confronted, 
password  dog  is  exeutdned, 
password  cracker  is  executed, 
backup  tape  is  loaded. 
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backup  tape  ia  located, 
file  bb  is  restored, 
file  cd  is  restored, 
changed (password, for, adams)  is  true, 
changed(permissions,file,pas8wd)  is  true, 
checked(permission8,file,pas8wd)  is  true, 
investigated (user, password, dog)  is  true, 
known(insecure, password, for, adams)  is  true, 
known(insecure,pa8sword, for, farmer)  is  true, 

3cnown (insecure, password, for, gr^dlam)  is  true, 
known (in8ecure,pas8word, for, smith)  is  true, 
maiKadams, root, 5709, bad(cd,bin))  is  true, 
mail  (brown, root,  5455, bad(cd, bin) )  is  true, 
mail (dog, root, 4906, bad (bb, tom) )  is  true, 
mail(graham,root,8266,bad(cd,bin) )  is  true, 
mail (j ones, root, 543 5, bad (cd, bin) )  is  true, 

root , 3974 , Captain  Flash  strikes  again! ! i I )  is  true, 
found (file,bb, on, backup, tape)  is  true, 
found ( file, cd, on, backup, tape)  is  true, 
found (file, Is, on, backup, tape)  is  true, 

compared(file,cd,for, Trojan  Horse, with, cd, on, backup, tape)  is  true, 
and  coii5)ared(filo.  Is,  for, Trojan  Horse,with, Is, on, backup,  tape)  is  true. 
Select  an  action:  change  user  password  smith 
You  chose  to  change  user  password  smith. 

Not  a  valid  action. 

**********  These  facts  are  now  true;  ********ifitit** 
password  root  is  changed, 
user  dog  is  confronted, 
password  dog  is  examined, 
password  cracker  is  executed, 
backup  tape  is  loaded, 
backup  tape  is  located, 
file  bb  is  restored, 
file  cd  is  restored, 
changed (password, for, adams)  is  true, 
changed (permissions, file, passwd)  is  true, 
checked(permis8ions , f ile,pa8swd)  is  true, 
investigated (user, password, dog)  is  true, 

]uiown(insecure,pas8word, for, adams)  is  true, 
known(in8ecure,password, for, farmer)  is  true, 
known (insecure, pas sword, for, gr^alam)  is  true, 
known (insecure, pas sword, for, smith)  is  true, 
maiKadams, root, 5709, bad(cd, bin)  )  is  true, 
mail (brown, root, 5455, bad (cd, bin) )  is  true, 
maiKdog, root, 4906, bad(bb, tom)  )  is  true, 
mail (graham, root, 8266, bad(cd, bin) )  is  true, 
maiKjones, root, 5435, bad(cd, bin)  )  is  true, 

mail (root, root , 3974 , Captain  Flash  strikes  again!!!!)  is  true, 
found(file,bb, on, backup, tape)  is  true, 
found(f  ile,  cd,on,bac)aip,  tape)  is  true, 
fo\ind(file, Is, on, backup, tape)  is  true, 

coinpared{file,cd,  for, Trojan  Horse , with,  cd, on, backup,  tape)  is  true, 
and  compared (file, Is, for, Trojan  Horse , with, Is , on, backup, tape)  is  true. 
Select  an  action:  change  password  for  smith 
You  chose  to  change  password  for  smith. 

OK,  but  a  hint:  "restore  deleted  file  aa  from  backup" 
is  more  in^rtant  now  than  "change  password  for  smith". 

************  These  facts  are  now  true:  ************* 
password  root  is  changed, 
user  dog  is  confronted, 
password  dog  is  examined. 
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password  cracker  is  executed, 

backup  tape  Is  loaded, 

backup  tape  is  located, 

file  bb  is  restored, 

file  cd  is  restored, 

changed  (password,  for,  adeuos)  is  true, 

changed (password, for, smith)  is  true, 

changed ( permissions, file, pas swd)  is  true, 

checked (permissions, file, pas swd)  is  true, 

investigated (user, password, dog)  is  true, 

known (insecure, password, for, adams)  is  true, 

known (insecure, pas sword, for, farmer)  is  true, 

)cnown( insecure, password, for, graham)  is  true, 
known (insecure, pas sword, for, smith)  is  true, 
mail (adams, root, 57 09, bad (cd, bin) )  is  true, 
mail (brown, root, 5455, bad(cd, bin) )  is  true, 
mail (dog, root, 4 9 06, bad (bb, tom) )  is  true, 
maiKgraham, root,  8266,bad(cd,bin} )  is  true, 
mail( jones,root, 5435,bad(cd,bin) )  is  true, 

mail (root, root, 3 97 4, Captain  Flash  strikes  again!!!!)  is  true, 
found(file,bb, on, backup, tape)  is  true, 
found(file,cd, on, backup, tape)  is  true, 
fo\ind( file, Is, on, backup, tape)  is  true, 

compared (file, cd, for, Trojem  Horse,with,cd, on, backup, tape)  is  true, 
and  coziipared(file.  Is,  for,  Trojan  Horse, with.  Is, on, backup,  tape)  is  true 
Select  an  action:  find  file  aa  on  backup  tape 
You  chose  to  find  file  aa  on  backup  tape. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  dog  is  confronted, 

password  dog  is  examined, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  bb  is  restored, 

file  cd  is  restored, 

changed (password, for, adams)  is  true, 
changed (password, for, smith)  is  true, 
changed (permissions, file, pas swd)  is  true, 
checked (permissions, file, passwd)  is  true, 
investigated (user, password, dog)  is  true, 

3cnown( insecure, password, for, adams)  is  true, 
known (insecure, pas sword, for, farmer)  is  true, 
known (insecure, pas sword, for, graham)  is  true, 
known (insecure, pas sword, for, smith)  is  true, 
mail  (adeuos,  root,  5709 ,  bad  (cd,  bin)  )  is  true, 
mail (brown, root, 5455, bad (cd, bin) )  is  true, 
mail (dog, root, 49 06, bad (bb, tom) )  is  true, 
mail (graham, root, 82 6 6, bad (cd, bin) )  is  true, 
mail( jones,root,5435,bad(cd,bin) )  is  true, 

mail (root, root , 3 974, Captain  Flash  strikes  again!!!!)  is  true, 

found(file,aa, on, backup, tape)  is  true, 

found(file,bb, on, backup, tape)  is  true, 

fo\ind(f ile, cd, on, backup, tape)  is  true, 

found (file, Is, on, backup, tape)  is  true, 

comparod(file,cd, for, Trojan  Hor8e,with,cd, on, backup, tape)  is  true, 
and  cozi^ared(file.  Is ,  for,  Trojan  Horse,with, Is,  on, backup,  tape)  is  true 
Select  an  action:  restore  deleted  file  aa  from  backup 
You  chose  to  restore  deleted  file  aa  from  backup. 

OK. 
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************  Ti;j^e3e  facts  are  now  true:  ************* 

password  root  is  changed, 

user  dog  is  confronted, 

password  dog  is  examined, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  aa  is  restored, 

file  bb  is  restored, 

file  cd  is  restored, 

changed  (pas  sword,  for,  adzons )  is  true, 

changed (password, for, smith)  is  true, 

changed (permissions, file, pas swd)  is  true, 

checked (permissions , file, passwd)  is  true, 

investigated (user, pas sword, dog)  is  true, 

known ( ins e cure, pas sword,f or, adams)  is  true, 

known (insecure, password, for, farmer)  is  true, 

known (insecure, pas sword, for, graham)  is  true, 

known (insecure,password, for, smith)  is  true, 

mail  (adeuiis,root,5709,bad(cd,bin)  )  is  true, 

mail (brown, root , 54 5 5, bad (cd, bin) )  is  true, 

mail (dog, root , 4906 , bad (bb, tom) )  is  true, 

mail (graham, root , 8266 , bad (cd, bin) )  is  true, 

mail ( j ones, root, 543 5, bad (cd, bin) )  is  true, 

mail (root, root , 3 97 4, Captain  Flash  strikes  again!!!!)  is  true, 

found (file, aa, on, backup, tape)  is  true, 

found(file,bb, on, backup, tape)  is  true, 

found(file,cd, on, backup, tape)  is  true, 

found(file, Is, on, backup, tape)  is  true, 

compared ( file, cd, for, Troj 2m  Horse, with, cd, on, backup, tape)  is  true, 
and  coir^ared( file, Is, for, Trojan  Horse, with, Is, on, backup, tape)  is  true. 
Select  an  action;  restore  deleted  file  bb  from  baclcup 
You  chose  to  restore  deleted  file  bb  from  backup. 

OK. 

************  These  facts  are  now  true;  *♦♦***♦♦****♦ 

password  root  is  changed, 

user  dog  is  confronted, 

password  dog  is  examined, 

password  cracker  is  executed, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  aa  is  restored, 

file  bb  is  restored, 

file  cd  is  restored, 

chzmged (password, for, adams)  is  true, 

chamged (password, for, smith)  is  true, 

changed (permissions, file, pas swd)  is  true, 

checked (permissions, file, passwd)  is  true, 

investigated (user, password, dog)  is  true, 

)cnown( insecure, pa 8 8 word,  for,  adams)  is  true, 
known (insecure, password, for, farmer)  is  true, 

)cnown( insecure, pas 8 word,  for, graham)  is  true, 
lcnown( insecure, password,  for,  smith)  is  true, 
mail (adams , root , 57 09, bad (cd, bin) )  is  true, 
mail (brown, root, 54 5 5, bad (cd, bin) )  is  true, 
maiKdog, root, 4906, bad(bb, tom)  )  is  true, 
mail(gr2diam,root,8266,bad(cd,bin)  )  is  true, 
mail ( jones, root , 5435,bad(cd,bin) )  is  true, 

mail (root, root , 3 974, Captain  Flash  strikes  again!!!!)  is  true, 
foimd(file,aa, on, backup, tape)  is  true, 
f oimd(f ile,bb,on,bac)cup, tape)  is  true. 
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found  (file,  cd,  on,  backup,  tape)  is  txrue, 
found(file, Is, on, backup, tape)  is  true, 

compared ( file,  cd,  for, Troj 201  Horse,witb,cd,on,bac)cup, tape)  is  true, 
and  coinpared(file.  Is, for, Trojan  Horse, with, Is, on, backup,  tape)  is  true. 
Select  an  action:  store  backup  tape 
You  chose  to  store  backup  tape. 

OK,  but  a  hint:  "change  password  for  farmer" 
is  more  in5)ortant  now  theoi  "store  backup  tape". 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  dog  is  confronted, 

password  dog  is  examined, 

password  cracker  is  executed, 

file  aa  is  restored, 

file  bb  is  restored, 

file  cd  is  restored, 

backup  tape  is  stored, 

changed  (pas  sword,  for,  adeuns)  is  true, 

changed (password, for, smith)  is  true, 

chemged (permissions, file, passwd)  is  true, 

checked ( pe rmi s s ions, file, pas swd)  is  true, 

investigated (user, password, dog)  is  true, 

known  (insecure,  pas  sword,  for,  adams)  is  true, 

known  (insecure,  password,  for,  farmer)  is  true, 

known  ( ins  e  cur  e,  pas  sword,  for,  gr2diam)  is  true, 

known(insecure,password, for, smith)  is  true, 

mail (adeuas, root, 5709,bad(cd,bin) )  is  true, 

mail (brown, root, 5455, bad (cd, bin) )  is  true, 

mail (dog, root, 49 06, bad (bb, tom) )  is  true, 

mail (graham, root, 82 6 6, bad (cd, bin) )  is  true, 

mail (j ones, root, 543 5, bad (cd, bin) )  is  true, 

mail (root , root , 3974, Captain  Flash  strikes  again!!!!)  is  true, 

found(file,aa, on, backup, tape)  is  true, 

found (file,bb, on, backup, tape)  is  true, 

found(file,cd, on, backup, tape)  is  true, 

found(file, Is, on, backup, tape)  is  true, 

coinpared(file,  cd,  for ,  Trojan  Horse, with,  cd, on, backup,  tape)  is  true, 
and  coinpared(file.  Is,  for, Trojan  Horse, with, Is, on, backup, tape)  is  true. 
Select  an  action:  chemge  password  for  farmer 
You  chose  to  chemge  password  for  farmer. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  dog  is  confronted, 

password  dog  is  examined, 

password  cracker  is  executed, 

file  aa  is  restored, 

file  bb  is  restored, 

file  cd  is  restored, 

backup  tape  is  stored, 

changed (pas sword, for, adams )  is  true, 

changed (password, for, farmer)  is  true, 

changed (password, for, smith)  is  true, 

changed (permissions, file, passwd)  is  true, 

checked (permissions, file, pas swd)  is  true, 

investigated (us or, pas sword, dog)  is  true, 

known (insecure, pas sword, for, adams)  is  true, 

known (insecure, pa 8 sword, for, farmer)  is  true, 

known  ( ins  e  cure,  pas  sword,  for,  grediam)  is  true, 

knovm( insecure, password, for, smith)  is  true, 

mail (adams, root , 5709, bad(cd, bin) )  is  true. 
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mail (brown, root , 54 5 5, bad (cd, bin) )  is  true, 
mail (dog, root , 4906 , bad (bb, tom) )  is  true, 
maiKgraham, root,  8266, bad (cd, bin)  )  is  true, 
mail (jones, root, 5435, bad(cd, bin) )  is  true, 

znaiKroot, root, 3974, Captain  Flash  striJces  again!  !  I  1 )  is  true, 

found(file, aa, on, backup, tape)  is  true, 

found ( file , bb, on, backup, tape)  is  true, 

found(file,cd, on, backup, tape)  is  true, 

found(file, Is, on, backup, tape)  is  true, 

coinpared(file,cd,for,Trojam  Horse,with,cd, on, backup, tape)  is  true, 
and  compared(file, Is, for, Trojan  Hor se, with, Is , on, backup, tape)  is  true* 
Select  an  action:  change  password  for  graham 
You  chose  to  ch^mge  password  for  gr2Lham* 

OK. 

Congratulations!  You  have  done  the  job. 

The  session  is  over.  Do  "go."  to  restart. 

yes 

1  7-  statistics. 


memory  (total) 

2484704 

bytes : 

1331300  in  use. 

1153404 

free 

program  space 

1200236 

bytes 

global  space 

65532 

bytes : 

27348  in  use. 

38184 

free 

global  stack 

25220  bytes 

trail 

40  bytes 

system 

2088  bytes 

local  stack 

65532 

bytes : 

648  in  use. 

64884 

free 

local  stack 

624  bytes 

system 

24  bytes 

16.017  sec.  for  0 

global  and 

30  local 

space  shifts 

0.234  sec.  for  1  garbage  collections  which  collected  992596  bytes 
47.066  sec.  runtime 

yes 

1  7  -  halt . 
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TAB  4.  RUN  3 


The  following  is  the  audit  file  used  for  Run  4: 


audit(jones,3384ione, ’login  Jones’, fail). 

auditQones,347,none, ’login  jones’,fail). 

auditQones,355jione,’login  jones’Jfail). 

auditQones,361,none,’login  jones’^ail). 

auditQones,363,none, ’login  jones’/ail). 

auditQones,3724ione, ’login  jones’,fail). 

auditQones,385,none,’login  jones’/ail). 

audit(jones,387,none,’login  jones’/ail). 

auditQones,394,none,’login  Jones’ /ail). 

audit(jones,402,none,’login  jones’,fail). 

auditQones,413,none,’login  jones’,fail). 

audit0ones,426,none,’login  Jones’ , ok). 

audit(jones,433jones,’cd-rool/bin’,ok). 

auditQones,45 1  ,bin  J[s,ok). 

auditQones,462,bin,’cd  -root’,ok). 

auditQones,475,root,ls,ok). 

audit(|ones,48 1 4’oot,’login  root’  /ail). 

auditQones,4894‘oot,’login  root’ /ail). 

auditQones,495 4'oot,’login  root’  ,fail). 

auditQones,50l4*oot,’login  root’ /ail). 

audit0ones,514/oot,’loginroot’,ok). 

audit(root,518,root,’cd  -adams’,ok). 

audit(root,533,adains,’cd  '-tom/ba’,ok). 

audit(root,537,ba,’cd  bin’, ok). 

audit(root,537,bin,’cd  --evans/csclass’  ,ok). 

audit(root,549,csclass,’cd  --root/etc’,ok). 

audit(root,557,etc,’cp  passwd  -smith/dont^dare  Jook_at_this’,ok). 

audit(root,569,etc,’mail  root’, ’Captain  Flash  strikes  again!!!!’). 

audit(root,576,etc,logout,ok). 

audi t(bro wn ,1691  ,none, ’ login  brown  ’  ,ok). 

audit(evans, 1 693 jione,  ’  login  evans’  ,ok). 

audit(brown,1708,brown,’cd  ~adanis’,ok). 

audit(brown,l  7 1 1  ,adanis,’cd  '-tom/ba’,ok). 

audit(brown,1726,ba,’cd  ~root/bin’,ok). 

audit(brown,1730,bin,’cd  '-evans/csclass’,ok). 

audit(brown,1734,csclass,’cd  -<lavis’,ok). 

audil(brown,1741,davis,’cd  -adams/diradams’,ok). 

audit(brown,1744,diradanis,’cd  '^oe’,ok). 

audit(brown,1752,doe,’cd  ~tom’,ok). 

audit(tom,1843,none,’login  tom’,ok). 

audit(toni,1845,tom,’cd  '-adams’,ok). 

audit(tom,1859,adanis,’cd  ba’,ok). 

audit(tom,1872,ba,’cd  '-rool/bin’,ok). 

audit(tom,1905,bin,ls,ok), 

audit(tom,2091,bin,’cd  ~adams’,ok). 

audit(tom,2106,adams,’cd  ba’,ok). 

audil(evans,2109,evans,’cd  csclass’,ok). 

audit(evans,2109,csclass,logout,ok). 

audit(tom,2126,ba,’cd  '-grahani’,ok). 

audit(tom,2 1 60,grahajn,ls,ok). 

audit(graham,2171,none,’login  graham ’/ail). 

audit(graham,2172jione,’login  graham ’,fail). 

audit(graham,2 1 76,none, ’ login  graham  ’ ,ok). 

audit(graham,2177,graham,’cd  ~root/bin’,ok). 
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audit(tom^l84, graham, ’login  graham’,ok). 

audit(graham,2194,bin,ls,fail). 

audit(brown,2212,tom,’emacsbb’,587). 

audit(graham,2213,bin,ls,okX 

audit(graham,2214,bin,’cd  -dog’, ok). 

audit(graham,2249,dog,ls,fail). 

audit(graham,2253,graham,’emacsimportant’,10360). 

audit(graham,2255,dog,ls,fail). 

audit(graham,2260,graham,Iogout,ok). 

audit(graham,2273,dog,ls,okX 

audit(graham,2292,dog,’cd~adams’,ok). 

audit(graham,2302,adams,’cd  ~tom/ba’.ok). 

audit(graham,2311,ba,’cd  -root/bin’,okX 

audit(graham,2321,bin,’cd~tom’,ok). 

audit(fanner,2330,none,’login  farmer’,ok). 

audit(graham,2330,tom,ls,ok). 

audit(farmer4340,farmer,’cd  ~adams’,ok). 

audit(graham,2342,tom,’cd  -adams’,ok). 

audit(farmer,2352,adams,’cd  ~smith’,ok). 

audit(graham,2360,adams,’cd~tom/ba’,ok). 

audit(davis,2363 jione,  ’login  davis  ’,ok). 

audit(graham,2367,ba,’cd  -uri’.ok). 

audit(graham,2376,uri,ls,ok). 

audit(brown,2382,tom,’mailroot’,bad(bb,tom)). 

audit(graham,2382,uri,’cd  -adams’,ok). 

audit(brown,2383,tom4ogout,ok). 

audit(fanner,2384,smith,ls,ok). 

audit(graham,239 1  ,adams,’cd  ~tom’,ok). 

audit(famier,2414,smith,’login  smith’,fail). 

audit(famier,2422,smith,  ’login  smith’,ok). 

audit(graham,2429,tom,’nn  *’,ok). 

audit(graham,2439,tom,’mail  tom’,’Haha  ful’). 

audit(graham,2444,tom,logout,ok). 

audit(smith,2651,smith,’emacs  lmpl434’,344). 

audit(davis,2940,davis,  ’emacs  goodnews’  ,1526). 

audit(davis,2945,davis,logout,ok). 

audit(evans,3046,none,’login  evans’.ok). 

audit(evans.3066,evans,  ’cd  -adams  ’  ,ok). 

audit(evans,3075,adams,’cd~tom/ba’,ok). 

audit(evans,3094,ba,’cd  -root/bin’, ok). 

audit(evans,3 1 06,bin,’cd  -evans/csclass’,ok). 

audit(evans,3 1 1 5 .csclass, ’ cd  -doe’ , ok). 

audit(evans,3 1 18,none,’login  evans’  ,ok). 

audil(smith,3122,smith,’emacs  tmpl435’,362). 

audit(evans,3128,evans,’cd-tom’,ok). 

audit(evans,3 136,doe,ls,ok). 

audit(evans,3 161  .torn, ls,ok). 

audit(evans,3205,tom4s,ok). 

audit(smith,3237,smith,’emacstmpl436’,405). 

audit(smith,3239,smith,logout,ok). 

audit(evans,3290,doe,ls,fail). 

audit(evans,3328,doe,ls,ok). 

audit(evans,335 1  ,tom,’emacs  aa’,503). 

audit(evans,3357,tom,logout,ok). 

audit(evans,3475,doe,’emacs  bigpaper’,30095). 

audit(evans,3477,doe,logout,ok). 

audit(davis,57 1 2,none,’ login  davis  ’  ,ok). 

audit(davis,6132,davis,’emacs  topsecret’,1572). 

audit(davis,6134,davis,logout,ok). 

audil(davis,7336,none,’login  iivis’,fail). 

audit(davis,7346,none,  ’login  davis  ’  .fail). 
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audit(davis,7354,none,’login  davis’,fail). 
audit(davis,7363,none,’login  davis’,fail). 
audit(davis,7364,none,’login  davis’,failX 
audit(davis,737 1  ,none,’login  davis’  .fail). 
audit(davis,7378,none,’login  davisVail)- 
audit(davis,7387,none, ’login  davis’.fail). 
audit(davis,7399,none,  ’login  davis’  .fail). 
audit(davis.7402jione.’login  davis’.fail). 
audit(davis.7409.none.’login  davis’/ail). 
audit(davis.7417jione.’login  davis’, ok). 
audit(davis,7436,davis,su5ail). 
audit(davis,7445,davis,sudail). 
audit(davis,7446,davis,sudail). 
audit(davis,7459,davis,su,fail). 
audit(davis,7472,davis,sudail). 
audit(davis,7488,davis,su,fail). 
audit(davis,7501,davis,sudail). 
audit(davis,75 16,davis,su/ail). 
audit(davis,7521  ,davis,su/ail). 
audit(davis,7521  .davis.su.ok). 
audit(davis,7535,davis,’cd  -adams’.ok). 
audit(davis,7554,adams4s,ok). 
audit(davis,75744dams,’cd  -dog’.ok). 
audit(davis,7606,dog4s,fail). 
audit(davis,7620,dog4s,fail). 
audit(davis,7624,dog4s,fail). 
audit(davis,7638,dog4s,ok). 
audit(davis,7656,dog,’cd~famier’,ok). 
audit(farmer,7665,none,’login  farnier’,ok). 
audit(fanner,7678,farmer,’cd  -adams’.ok). 
audit(davis,7679/anner4s,ok). 
audit(davis,76854^anner,’cd  -adams’.ok). 
audit(davis,7695.adams,’cd  -tom/ba’,ok). 
audit(davis,7696,ba,’cd  -root/bin’,ok). 
audit(davis,7703,bin,’cd  -evans/csclaiss’.ok). 
audit(davis,7706,csclass,’cd-davis’,ok). 
audit(davis,7715,davis,’cd-adams/diradams’,ok). 
audit(farmer,77 16,adams,ls,ok). 
audit(davis,7732,diradams,’cd  -graham’.ok). 
audit(davis,7763 .graham  ,ls,ok). 
audit(davis,7779,graham,’cd  -adams’.ok). 
audit(davis,7797,adams,’cd -tom/ba’ ,ok). 
audit(davis,7799,ba,’cd  -root/bin’ , ok). 
audit(davis,7808,bin,’cd  -evans/csclass’.ok). 
audit(davis,7820,csciass,’cd  -root’.ok). 
audit(davis,7823joot,ls,ok). 
audit(davis,7827jroot,’cd -adams’.ok). 
audit(farmer,7877,adams,ls,ok). 
audit(farmer,7883,adams,’login  adams’.ok). 
audit(adams.7886,adams,’cd  -adams’.ok). 
audit(adams,7896,adams,’cd-tomA)a’,ok). 
audit(adams,79 1 1  ,ba.’cd  -adams/diradams’  ,ok). 
audit(davis,7936.adams,’cat  auxa’.ok). 
audil(davis,8071.adams.’cat  auxb’.ok). 
audit(davis,81824idams,’cat  auxc’.ok). 
audit(davis,8217.adams,’cat  dirad^s’.ok). 
audil(davis,82294dams,’cd  -graham’.ok). 
audit(davis,8247.graham,’cat  important’.ok). 
audit(davis,8254.graham.’cd  -farmer’  .ok). 
audit(adams,8260,diradams.’emacs  auxb’.l  134). 
audit(davis,8445 jFarmer.’cat  secrets’  .ok). 
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audit(davis,8447,farmer,logout,ok). 
audit(adanis,85 19,dirad^s,’emacs  auxc’^  1 18). 
audil(adams,8520,diradams4ogout,ok). 
audit(jones,9008 jione,  ’login  Jones  ’  /ail). 
auditQones,9015jione,’login  jones’/ail). 
auditQones,90 19,none,  ’login  Jones  ’  .fail). 
auditQones,9032,none,’login  Jones’/ail). 
audit()ones,9{)43  jione,  ’login  Jones’ , ok). 
auditQones,9049jones,su,fail). 
auditQones,9058jones,su,fail). 
auditQones,9069jones,su,fail). 
auditQones,9085Jones,su,fail). 
audit(jones,9090 jones,su  .fail). 
auditOones.9107jones.su/ail). 
audit(Jones.9 1 15.Jones.su.fail). 
audit0ones.9123jones.su, fail). 
audit0ones,9133jones,su,fail). 
audit0ones,9149jones,su,ok). 
audit0ones,9163jones,’cd~adams’,ok). 
audit0ones,9 1 65.adains,’cd  ~root/bin  ’  ,ok). 
auditOones,9190,bin,ls,ok). 
auditOones,9200,bin,’cd  -adams’.ok). 
auditOones,9203,adanis,’cd  -root’.ok). 
audit0ones,92 1 8  j-oot,ls,ok). 
audit0ones,9228a'oot,’cd~adanis’,ok). 
auditOones,92404dams,’cd  ~root/bin  ’  ,ok). 
audit0ones,944 1  .bin.’emacs  cd’  ,5 109). 
auditOones,9560,bin,’emacs  ls’.2133). 
audit0ones,9776,bin,’emacsplease_run_me’.22914). 
audit0ones,978 1  ,bin,logout,ok). 
audit0ones,9789,bin ,  ’login  Jones  ’  ,ok). 
auditOones,9808 .Jones,  ’cd  ~root/bin  ’  ,ok). 
auditOones,10393,bin,’eniacs  please_run_me’,22914). 
auditOones,  10401 ,bin,logout,ok) . 


The  following  is  the  script  of  Run  4: 


Script  started  on  Wed  Mar  15  22:56:06  1995 
.alias:  No  such  file  or  directory. 

[7mai2  :  /users /work4/schiavo/The8is/Tutor>>  [n^jrolog 


Quintus  Prolog  Release  3.1.1  (Sun-*4,  SunOS  4.0) 

Copyright  (C)  1990,  Quintus  Corporation.  All  rights  reserved. 

2100  Geng  Road,  Palo  Alto,  California  U.S.A.  (415)  813-3800 

I  7-  [intruder] . 

%  conipiling  file  /tmp_mnt /users /wor)c4/8chiavo/Thesis /Tutor/ intruder  .pi 
%  compiling  file  /tnp^mnt /u8er8/wor]c4/8chiavo/Thesis/Tutor/metutor30  .pi 
%  Undefined  procedures  will  just  fall  ('fail'  option) 

%  loading  file  /u8r/local/q3 . 1 . l/generic/qplib3 . 1 . l/library/r«mdom. qof 
Se.  foreign  file  /usr/local/q3 . 1.l/generic/qplib3 . 1 . l/library/«un4-4/libpl .  so  loaded 
%  random. qof  loaded,  0.133  sec  9,392  bytes 
%  module  r^m.dom  imported  into  user 

*  Clauses  for  writefact/2  are  not  together  in  the  source  file 
%  metutor30.pl  con^iled  in  module  user,  3.000  sec  50,420  bytes 
%  compiling  file  /tmp_mnt /user s/wor)c4/8chiavo /Thesis /Tut or /modrowe? 

%  modrowe?  compiled  in  module  user,  0.684  sec  15,720  bytes 
%  compiling  file  /tiip_mnt /users /work4/schiavo/Thesis/Tutor/filetree 
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%  filetree  compiled  in  modulo  user,  0.434  sec  5,296  bytes 
%  compiling  file  /tmp_mnt /users /work4/8ch.iavo/Th.es is /Tutor /rules 

*  Clauses  for  beh.avior/5  are  not  together  in  the  source  file 

*  Clauses  for  bebavior/4  are  not  together  in  the  source  file 

%  rules  compiled  in  nodule  user,  0.617  sec  7,456  bytes 

%  compiling  file  /tnp_innt/user8/work4/8chiavo/The8i8/Tutor/rowef lies 
%  rowefiles  compiled  in  znodule  user,  0.117  sec  4,256  bytes 
%  conpiling  file  /tnp_mnt/user8/work4/8chiavo/The8is /Tutor/operators 

*  Clauses  for  recoinmended/3  are  not  together  in  the  source  file 

*  Clauses  for  recozniQended/2  are  not  together  in  the  source  file 

*  Clauses  for  addpost condition/ 2  are  not  together  in  the  source  file 
%  operators  compiled  in  module  user,  0.600  sec  6,348  bytes 

%  intruder.pl  compiled  in  module  user,  6.350  sec  102,384  bytes 

yes 

I  7-  statistics. 


lory  (total) 

649696  bytes: 

466020  in  use. 

183676  free 

program  space 

334956  bytes 

global  space 

65532  bytes: 

26688  in  use. 

38844  free 

global  stack 

24584  bytes 

trail 

16  bytes 

system 

2088  bytes 

local  stack 

65532  bytes: 

440  in  use. 

65092  free 

local  stack 

416  bytes 

system 

24  bytes 

0.000  sec.  for  0  global  and  3  local  space  shifts 

0.000  sec.  for  0  garbage  collections  which  collected  0  bytes 

6.633  sec.  runtime 

yes 

1  7-  start. 


AUDIT  FILE 

The  following  displays  the  current  contents  of  the  audit  file: 


Name 

Time 

Path 

Command 

adams 

7886 

adams 

cd  -adeuos 

adams 

7896 

adams 

cd  -tom/ba 

adams 

7911 

ba  cd 

-adams  /dirad£uzi8 

adams 

8260 

diradeuns 

emacs  auxb 

adams 

8519 

diradams 

emacs  auxc 

adams 

8520 

diradams 

logout 

brown 

1691 

none 

login  brown 

brown 

1708 

brown 

cd  -adams 

brown 

1711 

adams 

cd  -tom/ba 

brown 

1726 

ba 

cd  -root /bin 

brown 

1730 

bin  cd 

-evems  /csclass 

brown 

1734 

csclass 

cd  -davis 

brown 

1741 

davis  cd  -adams/ dir adeuns 

brown 

1744 

diradams 

cd  -doe 

brown 

1752 

doe 

cd  -tom 

brown 

2212 

tom 

emacs  bb 

Result 

ok 

ok 

ok 

1134 

5118 

ok 

ok 

ok 

ok 

ok 

ok 

ok 

ok 

ok 

ok 

587 
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brovm 

2382 

tom 

mail  root 

bad  (bb,  tom) 

brown 

2383 

tom 

logout 

ok 

davis 

2363 

none 

login  davis 

ok 

davis 

2940 

davis 

emacs  goodnews 

1526 

davis 

2945 

davis 

logout 

ok 

davis 

5712 

none 

login  davis 

ok 

davis 

6132 

davis 

emacs  topsecret 

1572 

davis 

6134 

davis 

logout 

ok 

davis 

7336 

none 

login  davis 

fail 

davis 

7346 

none 

login  davis 

fail 

davis 

7354 

none 

login  davis 

fail 

davis 

7363 

none 

login  davis 

fail 

davis 

7364 

none 

login  davis 

fail 

davis 

7371 

none 

login  davis 

fail 

davis 

7378 

none 

login  davis 

fail 

davis 

7387 

none 

login  davis 

fail 

davis 

7399 

none 

login  davis 

fail 

davis 

7402 

none 

login  davis 

fail 

davis 

7409 

none 

login  davis 

fail 

davis 

7417 

none 

login  davis 

ok 

davis 

7436 

davis 

su 

fail 

davis 

7445 

davis 

su 

fail 

davis 

7446 

davis 

su 

fail 

davis 

7459 

davis 

su 

fail 

davis 

7472 

davis 

su 

fail 

davis 

7488 

davis 

su 

fail 

davis 

7501 

davis 

su 

fail 

davis 

7516 

davis 

su 

fail 

davis 

7521 

davis 

su 

fail 

davis 

7521 

davis 

su 

ok 

davis 

7535 

davis 

cd  -adams 

ok 

davis 

7554 

adeuns 

Is 

ok 

davis 

7574 

adams 

cd  -dog 

ok 

davis 

7606 

dog 

Is 

fail 

davis 

7620 

dog 

Is 

fail 

davis 

7624 

dog 

Is 

fail 

davis 

7638 

dog 

Is 

ok 

davis 

7656 

dog 

cd  -farmer 

ok 

davis 

7679 

farmer 

Is 

ok 

davis 

7685 

farmer 

cd  -adams 

ok 

davis 

7695 

adams 

cd  -tom/ba 

ok 

davis 

7696 

ba 

cd  -root /bin 

ok 

davis 

7703 

bin  cd 

-evans /csclass 

ok 

davis 

7706 

csclass 

cd  -davis 

ok 

davis 

7715 

davis  cd  '-adams/ dir  adams 

ok 

davis 

7732 

diradeuxis 

cd  -grediam 

ok 

davis 

7763 

graham 

Is 

ok 

davis 

7779 

graham 

cd  -adams 

ok 

davis 

7797 

adams 

cd  -tom/ba 

ok 

davis 

7799 

ba 

cd  -root /bin 

ok 

davis 

7808 

bin  cd 

-evans /csclass 

ok 

davis 

7820 

csclass 

cd  -root 

ok 

davis 

7823 

root 

Is 

ok 

davis 

7827 

root 

cd  -adams 

ok 

davis 

7936 

adams 

cat  auxa 

ok 

davis 

8071 

adeuns 

cat  auxb 

ok 

davis 

8182 

adams 

cat  auxc 

ok 

davis 

8217 

adams 

cat  diradeuQs 

ok 

davis 

8229 

adams 

cd  -graham 

ok 

davis 

8247 

graheun 

cat  important 

ok 

davis 

8254 

graham 

cd  -farmer 

ok 

134 


da  vis 

8445 

farmer 

cat  secrets 

ok 

davis 

8447 

farmer 

logout 

ok 

evans 

1693 

none 

login  evans 

ok 

evans 

2109 

csclass 

logout 

ok 

evems 

2109 

evans 

cd  csclass 

ok 

evans 

3046 

none 

login  evans 

ok 

evans 

3066 

evans 

cd  «»adams 

ok 

evans 

3075 

adams 

cd  *tom/ba 

ok 

evans 

3094 

ba 

cd  -root /bin 

ok 

evans 

3106 

bin 

cd  -evans /csclass 

ok 

evans 

3115 

csclass 

cd  -doe 

ok 

evans 

3118 

none 

login  evans 

ok 

ev2ms 

3128 

evans 

cd  -tom 

ok 

evans 

3136 

doe 

Is 

ok 

evans 

3161 

tom 

Is 

ok 

evans 

3205 

tom 

Is 

ok 

evans 

3290 

doe 

Is 

fail 

eveois 

3328 

doe 

Is 

ok 

ev2m.s 

3351 

tom 

emacs  aa 

503 

evans 

3357 

tom 

logout 

ok 

evems 

3475 

doe 

emacs  bigpaper 

30095 

evems 

3477 

doe 

logout 

ok 

fanner 

2330 

none 

login  farmer 

ok 

fanner 

2340 

farmer 

cd  -adeuns 

ok 

fanner 

2352 

adeuns 

cd  -smith 

ok 

fanner 

2384 

smith 

Is 

ok 

fanner 

2414 

smith 

login  smith 

fail 

farmer 

2422 

smith 

login  smith 

ok 

fanner 

7665 

none 

login  farmer 

ok 

fanner 

7678 

farmer 

cd  -adernis 

ok 

fanner 

7716 

adams 

Is 

ok 

farmer 

7877 

adams 

Is 

ok 

farmer 

7883 

adams 

login  adeuns 

ok 

graham 

2171 

none 

login  grahaua 

fail 

graham 

2172 

none 

login  grediam 

fail 

graham 

2176 

none 

login  graham 

ok 

graham 

2177 

graham 

cd  -root /bin 

ok 

grahemi 

2194 

bin 

Is 

fail 

graham 

2213 

bin 

Is 

ok 

graham 

2214 

bin 

cd  -dog 

ok 

gredieon 

2249 

dog 

Is 

fail 

graham 

2253 

graham 

emacs  in^ortant 

10360 

graham 

2255 

dog 

Is 

fail 

graham 

2260 

graham 

logout 

ok 

graham 

2273 

dog 

Is 

ok 

graham 

2292 

dog 

cd  -adams 

ok 

grah2an 

2302 

adams 

cd  -tom/ba 

ok 

grediam 

2311 

ba 

cd  -root /bin 

ok 

gredieim 

2321 

bin 

cd  -tom 

ok 

grediam 

2330 

tom 

Is 

ok 

grahjun 

2342 

tom 

cd  -adams 

ok 

graham 

2360 

adams 

cd  -tom/ba 

ok 

graham 

2367 

ba 

cd  -uri 

ok 

grediam 

2376 

uri 

Is 

ok 

graham 

2382 

uri 

cd  -adams 

ok 

graheun 

2391 

adams 

cd  -tom 

ok 

graham 

2429 

tom 

rm  * 

ok 

graham 

2439 

tom 

mail  tom 

Eedia  ful 

graham 

2444 

tom 

logout 

ok 

jones 

338 

none 

login  jones 

fail 

jones 

347 

none 

login  jones 

fail 

135 


jones 

355 

none 

login  jones 

fail 

jones 

361 

none 

login  jones 

fail 

jones 

363 

none 

login  jones 

fail 

jones 

372 

none 

login  jones 

fail 

jones 

385 

none 

login  jones 

fail 

jones 

387 

none 

login  jones 

fail 

jones 

394 

none 

login  jones 

fail 

jones 

402 

none 

login  jones 

fail 

jones 

413 

none 

login  jones 

fail 

jones 

426 

none 

login  jones 

ok 

jones 

433 

jones 

cd  -root /bin 

ok 

jones 

451 

bin 

Is 

ok 

jones 

462 

bin 

cd  -root 

ok 

jones 

475 

root 

Is 

ok 

jones 

481 

root 

login  root 

fail 

jones 

489 

root 

login  root 

fail 

jones 

495 

root 

login  root 

fail 

jones 

501 

root 

login  root 

fail 

jones 

514 

root 

login  root 

ok 

jones 

9008 

none 

login  jones 

fail 

jones 

9015 

none 

login  jones 

fail 

jones 

9019 

none 

login  jones 

fail 

jones 

9032 

none 

login  jones 

fail 

jones 

9043 

none 

login  jones 

ok 

jones 

9049 

jones 

811 

fail 

jones 

9058 

jones 

8U 

fail 

jones 

9069 

jones 

8U 

fail 

jones 

9085 

jones 

SU 

fail 

jones 

9090 

jones 

8U 

fail 

jones 

9107 

jones 

SU 

fail 

jones 

9115 

jones 

SU 

fail 

jones 

9123 

jones 

SU 

fail 

jones 

9133 

jones 

SU 

fail 

jones 

9149 

jones 

SU 

ok 

jones 

9163 

jones 

cd  -adams 

ok 

jones 

9165 

adaons 

cd  -root /bin 

ok 

jones 

9190 

bin 

Is 

ok 

jones 

9200 

bin 

cd  -adams 

ok 

jones 

9203 

adams 

cd  -root 

ok 

jones 

9218 

root 

Is 

ok 

jones 

9228 

root 

cd  -adams 

ok 

jones 

9240 

adeoiLS 

cd  -root /bin 

ok 

jones 

9441 

bin 

emacs  cd 

5109 

jones 

9560 

bin 

emacs  Is 

2133 

jones 

9776 

bin  emacs 

p  1  e  a  8  e_run_me 

22914 

jones 

9781 

bin 

logout 

ok 

jones 

9789 

bin 

login  jones 

ok 

jones 

9808 

jones 

cd  -root /bin 

ok 

jones 

10393 

bin  emacs 

p  1  e  a  8  e_run_me 

22914 

jones 

10401 

bin 

logout 

ok 

root 

518 

root 

cd  -ad2an8 

ok 

root 

533 

adams 

cd  -tom/ba 

ok 

root 

537 

ba 

cd  bin 

ok 

root 

537 

bin  cd  '>evans/c8clas8 

ok 

root 

549 

csclass 

cd  -root /etc 

ok 

root 

5S7 

etccp  passwd  -smith/dont^dare. 

_look_at_thi8  ok 

root 

569 

etc 

mail  root 

Captain  Flash  strikes 

root 

576 

etc 

logout 

ok 

smith 

2651 

smith 

emacs  tnipl434 

344 

smith 

3122 

smith 

eioacs  tir^l435 

362 

smith 

3237 

smith 

emacs  tmpl436 

405 
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smith 

3239 

smith 

logout 

ok 

tom 

1843 

none 

login  tom 

ok 

tom 

1845 

tom 

cd  '•adeuns 

ok 

tom 

1859 

adams 

cd  ba 

ok 

tom 

1872 

ba 

cd  -root /bin 

ok 

tom 

1905 

bin 

Is 

ok 

tom 

2091 

bin 

cd  -ad2uns 

ok 

tom 

2106 

adams 

cd  ba 

ok 

tom 

2126 

ba 

cd  -graham 

ok 

tom 

2160 

grah2un 

Is 

ok 

tom 

2184 

graham 

login  graheun 

ok 

MAIL  RECEIVED  * 

* 

The  following  displays  mail  received  by  root :  * 


From 

To 

Time 

Problem  (File ,  Directory) 

brown 

root 

2382 

bad(bb,  tom) 

root 

root 

569 

Captain  Flash  strikes  again! ! ! ! 

%  Undefined  procedures  will 
Warnings : 


just  fail  ('fail'  option) 

changed (password, root ) 
confronted (user, _12821) 
examined  ( pas  sword,  __127  5  5 ) 
executed (password, cracker) 
investigated (pa88Word,_12734 ) 
changed (password, f or ,_12692 ) 
changed (permis 8 ions , f ile , _12 8 64 ) 
restored (password, for,_12800) 
issued (new, password, to,_1277  8 ) 


bac)cup  tape  is  stored  emd  password  cracker  is  executed. 
Wait  a  moment  while  I  analyze  the  problem  thoroughly. 


This 

fact 

is 

not 

removable : 

This 

fact 

is 

not 

removable: 

This 

fact 

is 

not 

removable : 

This 

fact 

is 

not 

remov2d>le : 

This 

fact 

is 

not 

removable : 

This 

fact 

is 

not 

removed>le : 

This 

fact 

is 

not 

reznoveible : 

This 

fact 

is 

not 

removable : 

This 

fact 

is 

not 

removedale : 

Your 

objectives : 

*  To  see  a  list  of  possible  actions,  type  the  letter  "h"  or  the  word  * 

*  "help,"  To  review  the  audit  file  or  your  mail  at  anytime,  type  the  * 

*  word  "audit file"  or  "mail"  respectively.  * 


Type  h  for  help. 

************  These  facts  are  now  true:  ***••*******♦ 

backup  tape  is  stored, 

mail (brown, root, 2 3 82, bad (bb, tom) )  is  true, 

and  mail (root, root, 5 6 9, Captain  Flash  strikes  again!!!!)  is  true. 
Select  an  action:  check  permissions  file  passwd 
You  chose  to  check  permissions  file  passwd. 

OK. 

************  These  facts  are  now  true:  *"*****♦♦»♦** 
bac)cup  tape  is  stored, 

checked (permissions, file, passwd)  is  true. 
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mail (brown, root, 23 82, bad (bb, tom) )  is  true, 

and  maiKroot, root, 569, Captain  Flash  strikes  again!!!*)  is  true. 

Select  an  action;  change  permissions  passwd 
You  chose  to  change  permissions  passwd. 

Not  a  valid  action. 

************  These  facts  are  now  true:  ************* 
backup  tape  is  stored, 

checked (permissions, file, passwd)  is  true, 
maiKbrown, root, 2382, bad(bb,  tom)  )  is  true, 

and  mail (root, root, 5 6 9, Captain  Flash  strikes  again!!!!)  is  true. 

Select  an  action:  change  permissions  file  passwd 
You  chose  to  change  permissions  file  passwd, 

OK. 

************  ijlilege  facts  are  now  true:  ************* 

backup  tape  is  stored, 

changed (permissions, file, passwd)  is  true, 

checked (permissions, file, passwd)  is  true, 

mail (brown, root, 2 3 82, bad (bb, t om) )  is  true, 

and  maiKroot, root, 569, Captain  Flash  strikes  again!!!!)  is  true. 

Select  an  action:  change  root  password 
You  chose  to  change  root  password. 

OK. 

************  facts  are  now  true;  ************* 

password  root  is  changed, 

backup  tape  is  stored, 

changed (permissions, file, passwd)  is  true, 

checked (permissions, file, passwd)  is  true, 

mail (brown, root, 2 3 82, bad (bb, tom) )  is  true, 

and  mail (root, root, 569, Captain  Flash  strikes  again!!!!)  is  true. 

Select  an  action:  confront  user  davis 
You  chose  to  confront  user  davis. 

OK,  but  a  hint:  "compare  file  cd  for  Trojem  Horse  with  cd  on  backup  tape" 
is  more  important  now  than  "confront  user  davis". 

************  Ti^egg  facts  are  now  true:  ************* 

password  root  is  changed, 

user  davis  is  confronted, 

backup  tape  is  stored, 

changed (permissions, file, passwd)  is  true, 

checked (permissions, file, passwd)  is  true, 

mail (brown, root, 2382, bad(bb, tom) )  is  true, 

and  mail (root, root , 569, Captain  Flash  strikes  again!!!!)  is  true. 

Select  an  action:  locate  backup  tape 
You  chose  to  locate  backup  tape. 

OK. 

************  ^j^ggg  facts  are  now  true:  ************* 

password  root  is  changed, 

user  davis  is  confronted, 

backup  tape  is  located, 

changed (permissions , file, passwd)  is  true, 

checked(permission8, file, passwd)  is  true, 

mail (brown, root, 2382, bad(bb, tom) )  is  true, 

and  mail (root , root , 569 , Captain  Flash  strikes  again!!!!)  is  true. 

Select  an  action:  load  backup  tape 
You  chose  to  load  backup  tape. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  chzmged, 

user  davis  is  confronted, 

backup  tape  is  loaded, 

backup  tape  is  located, 

changed (permissions, file, passwd)  is  true. 
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checked  (permissions ,  file, passwd)  is  tme, 
mail (brown, root , 2382 /bad (bb, tom) )  is  true, 

and  mail (root, root, 569, Captain  Flash  strikes  again!!!!)  is  true. 

Select  an  action:  find  file  cd  on  backup  tape 
You  chose  to  find  file  cd  on  backup  tape. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  davis  is  confronted, 

backup  tape  is  loaded, 

backup  tape  is  located, 

ch2m.ged (permissions,  file, passwd)  is  true, 
checked (permissions, file, pas swd)  is  true, 
mail (brown, root, 2382 , bad (bb, tom) )  Is  true, 

mail (root , root, 5 6 9, Captain  Flash  strikes  again!!!!)  is  true, 
and  found ( file, cd, on, backup, tape)  is  true. 

Select  an  action:  con^are  file  cd  for  Trojan  Horse  with  cd  on  backup  tape 
You  chose  to  con^jare  file  cd  for  Trojan  Horse  with  cd  on  bac]cup  tape. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  davis  is  confronted, 

backup  tape  is  loaded, 

backup  tape  is  located, 

changed (permissions, file, pas swd)  is  true, 
checked (permissions, file, passwd)  is  true, 
mail (brown, root, 23 82, bad (bb, tom) )  is  true, 

mail (root, root, 5 6 9, Captain  Flash  strikes  again!!!!)  is  true, 
found(file, cd, on, backup, tape)  is  true, 

and  compared (file, cd, for, Trojan  Hor8e,with,cd, on, backup, tape)  is  true. 
Select  an  action:  find  file  Is  on  backup  tape 
You  chose  to  find  file  Is  on  bac)cup  tape. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  davis  is  confronted, 

backup  tape  is  loaded, 

backup  tape  is  located, 

changed (permissions, file, passwd)  is  true, 

checked (permissions, file, passwd)  is  true, 

mail (brown, root, 2 3 82, bad (bb, tom) )  is  true, 

mail (root, root, 5 6 9, Captain  Flash  strikes  again!!!!)  is  true, 
found (file, cd, on, backup, tape)  is  true, 
found(file, Is, on, backup, tape)  is  true, 

and  con^ared(file, cd, for, Trojan  Hor8e,with, cd, on, backup, tape)  is  true. 
Select  an  action:  con^are  file  Is  for  Trojan  Horse  with  Is  on  bac)cup  tape 
You  chose  to  con5>are  file  Is  for  Trojim  Horse  with  Is  on  backup  tape. 

OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  davis  is  confronted, 

backup  tape  is  loaded, 

bac)aip  tape  is  located, 

changed (permissions, file, passwd)  is  true, 
checked (permissions, file, passwd)  is  true, 
mail (brown, root, 2 3 82, bad (bb, tom) )  is  true, 

mail (root, root, 5 6 9, Cap tain  Flash  strikes  again!!!!)  is  true, 
found (file, cd, on, backup, tape)  is  true, 
found (file, Is, on, backup, tape)  is  true, 

compared (file, cd, for, Trojan  Horse, with, cd, on, backup, tape)  is  true, 
and  compared(file, Is, for, Trojan  Hor se, with, Is , on, backup, tape)  is  true. 
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Select  an  action:  find  file  bb  on  backup  tape 
You  cbose  to  find  file  bb  on  backup  tape. 

Have  you  confused  that  with  the  find  file  aa  on  backup  tape  action? 
OK,  but  a  hint:  "restore  deleted  file  aa  from  backup" 
is  more  important  now  than  "restore  deleted  file  bb  from  backup". 
************  These  facts  are  now  true:  *****^******* 
password  root  is  changed, 
user  davis  is  confronted, 
backup  tape  is  loaded, 
backup  tape  is  located, 
changed (permissions, file, pas swd)  is  true, 
checked (permissions, file, pas swd)  is  true, 
maiKbrown,  root, 2382, bad(bb,  tom)  )  is  true, 

mail (root , root , 569 , Captain  Flash  strikes  again!!!!)  is  true, 
found (file,bb, on, backup, tape)  is  true, 
found (file, cd, on, backup, tape)  is  true, 
found (file, Is, on, backup, tape)  is  true, 

compared(file,cd, for, Trojan  Horse, with, cd, on, backup, tape)  is  true, 
and  coir^ared(file, Is, for, Trojan  Horse, with, Is, on, backup, tape)  is  true. 
Select  an  action:  find  file  aa  on  backup  tape 
You  chose  to  find  file  aa  on  backup  tape. 

OK, 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  davis  is  confronted, 

backup  tape  is  loaded, 

backup  tape  is  located, 

changed (permissions, file, passwd)  is  true, 

checked (permissions, file, pas swd)  is  true, 

mail (brown, root, 2382, bad(bb, tom) )  is  true, 

mail (root , root , 569 , Captain  Flash  strikes  again!!!!)  is  true, 

found(file,aa, on, backup, tape)  is  true, 

found(file,bb, on, backup, tape)  is  true, 

found(file, cd, on, backup, tape)  is  true, 

found (file, Is, on, backup, tape)  is  true, 

compared(file,cd, for, Trojan  Horse, with, cd, on, backup, tape)  is  true, 
and  compared(file, Is, for, Trojan  Horse, with, Is , on, backup, tape)  is  true. 
Select  an  action:  restore  deleted  file  aa  from  backup 
You  chose  to  restore  deleted  file  aa  from  backup, 

OK. 

************  Those  facts  are  now  true:  ************* 

password  root  is  changed, 

user  davis  is  confronted, 

backup  tape  is  loaded, 

backup  tape  is  located, 

file  aa  is  restored, 

changed (permissions, file, pas swd)  is  true, 
checked (permissions, file, passwd)  is  true, 
maiKbrown, root, 2382, bad(bb, tom)  )  is  true, 

mail (root, root, 5 6 9, Captain  Flash  strikes  again!!!!)  is  true, 
found(file,aa, on, backup, tape)  is  true, 
found(file,bb, on, backup, tape)  is  true, 
f ound ( file , cd, on, backup, tape)  is  true, 
found(file, Is, on, backup, tape)  is  true, 

compared ( f ile, cd, for, Trojan  Horse,with,cd, on, backup, tape)  is  true, 
and  coiipared(file, Is, for, Trojan  Horse, with, Is , on, backup, tape)  is  true. 
Select  an  action:  restore  deleted  file  bb  from  backup 
You  chose  to  restore  deleted  file  bb  from  backup. 

OK. 

************  facts  are  now  true:  ************* 

password  root  is  changed. 
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user  davis  is  confronted, 
backup  tape  is  loaded, 
backup  tape  is  located, 
file  aa  is  restored, 
file  bb  is  restored, 

chemged (permissions, file, pas swd)  is  true, 
checked(permission8, f ile,passwd)  is  true, 
mail (brown, root, 2382, bad(bb, tom) )  is  true, 

mail (root, root, 5 6 9, Captain  Flash  strikes  again!!!!)  is  true, 

found ( file, aa, on, backup, tape)  is  true, 

found (£ile,bb, on, backup, tape)  is  true, 

found ( file, cd, on, backup, tape)  is  true, 

found(file, Is, on, backup, tape)  is  true, 

compared ( file, cd, for, Trojan  Horse,with, cd, on, backup, tape)  is  true, 
and  compared(file,ls,for,TrojeLn  Horse, with, Is, on, backup, tape)  is  true. 
Select  an  action:  store  backup  tape 
You  chose  to  store  bac]cap  tape. 

OK,  but  a  hint:  "execute  password  cracker" 
is  more  important  now  th2m  "store  backup  tape". 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  davis  is  confronted, 

file  aa  is  restored, 

file  bb  is  restored, 

backup  tape  is  stored, 

ch2Lnged (permissions, file, pas swd)  is  true, 
checked ( permissions, file, pas swd)  is  true, 
mail (brown, root, 23 82, bad (bb, tom) )  is  true, 

mail (root , root , 569, Captain  Flash  strikes  again!!!!)  is  true, 

found ( file, aa, on, backup, tape)  is  true, 

found(file,bb, on, backup, tape)  is  true, 

found ( file, cd, on, backup, tape)  is  true, 

found (file, Is, on, backup, tape)  is  true, 

compared(file,cd, for,Troj2m.  Hor se, with, cd, on, backup, tape)  is  true, 
and  compared (file, Is, for, Trojan  Horse, with, Is, on, backup, tape)  is  true. 
Select  an  action:  execute  password  cracker 
You  chose  to  execute  password  cracker. 

OK. 


************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  davis  is  confronted, 

password  cracker  is  executed, 

file  aa  is  restored, 

file  bb  is  restored, 

backup  tape  is  stored, 

changed (permissions, file, pas swd)  is  true, 
checked (permissions, file, pas swd)  is  true, 
known(insecure, password, for, _434196)  is  true, 
known(insecure, password, for, _434203 )  is  true, 

)axown (insecure, pas sword, for, _43 42 10)  is  true, 
known (insecure, pas sword, for, _43 42 17)  is  true, 
mail (brown, root, 23 82, bad (bb, tom) )  is  true, 

mail (root , root , 569, Captain  Flash  strikes  again!!!!)  is  true, 

found(f ile,aa,on,bac)cup, tape)  is  true, 

found(file,bb, on, backup, tape)  is  true, 

found(file, cd, on, backup, tape)  is  true, 

found(file, Is, on, backup, tape)  is  true, 

cotr^ared(f  ile,  cd,  for, Trojan  Horse, with, cd, on, backup,  tape)  is  true, 
and  coii^ared(file.  Is,  for, Trojan  Horse, with.  Is, on, backup, tape)  is  true. 
Select  an  action:  change  password  for  adams 
You  chose  to  change  password  for  adeuos. 
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OK. 

************  These  facts  are  now  true:  ************* 

password  root  is  changed, 

user  davis  is  confronted, 

password  cracker  is  executed, 

file  aa  is  restored, 

file  bb  is  restored, 

backup  tape  is  stored, 

changed (password, for , adams )  is  true, 

changed (permissions, file, pas 8 wd)  is  true, 

checked(pornii8sions,file,pas8wd)  is  true, 

known(insecuro,pas8word, for, adams)  is  true, 

known (insecure, pas sword, for, farmer)  is  true, 

known (insecure, password, for, graham)  is  true, 

)cnown (insecure, password,  for,  smith)  is  true, 
maiKbrown, root, 2382, bad(bb, tom) )  is  true, 

mail (root , root , 569 , Captain  Flash  strikes  again!!]!)  is  true, 

found (file, aa, on, backup, tape)  is  true, 

found (file,bb, on, backup, tape)  is  true, 

found (file, cd, on, backup, tape)  is  true, 

found(file, Is, on, backup, tape)  is  true, 

corr^ared(file,cd,for, Trojan  Hor8e,with,cd, on, backup, tape)  is  true, 
and  compared( file, Is, for, Trojan  Horse, with, Is, on, backup, tape)  is  true. 
Select  an  action:  chamge  password  for  farmer 
You  chose  to  change  password  for  farmer. 

OK. 

***********  facts  are  now  true:  ************* 

password  root  is  changed, 
user  davis  is  confronted, 
password  cracker  is  executed, 
file  aa  is  restored, 
file  bb  is  restored, 
backup  tape  is  stored, 
changed (password, for, adams)  is  true, 
changed (password, for, farmer)  is  true, 
changed (permissions , file, pas swd)  is  true, 
checked(permissions,file,passwd)  is  true, 
known (insecure, pas sword, for, adams)  is  true, 
known(in8ecure,pas8Word, for, farmer)  is  true, 

)cnown(  insecure,  pas  sword,  for,  graham)  is  true, 

known(insecure,pas8word, for, smith)  is  true, 

mail (brown, root, 23 82, bad (bb, tom) )  is  true, 

mail (root, root, 5 69, Captain  Flash  strikes  again!!!!)  is  true, 

fo\ind(file, aa, on, backup, tape)  is  true, 

found(file,bb, on, backup, tape)  is  true, 

found(file, cd, on, backup, tape)  is  true, 

found (file, Is, on, backup, tape)  is  true, 

con®)ared(file,cd,  for, Trojan  Horse, with,cd,on,bac)cup,  tape)  is  true, 
and  con5)ared( file, Is, for, Trojan  Horse,with,ls,on,backup,tape)  is  true. 
Select  an  action:  change  password  for  graham 
You  chose  to  change  password  for  graham. 

OK. 

************  ^1^030  f^cts  are  now  true:  ************* 

password  root  is  changed, 

user  davis  is  confronted, 

password  cracker  is  executed, 

file  aa  is  restored, 

file  bb  is  restored, 

backup  tape  is  stored, 

changed (password, for, adams)  is  true, 

changed (password, for, farmer)  is  true. 
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changed (password/ for, graham)  is  true, 

changed (permissions , file, pas swd)  is  true, 

checked (permissions, file, pas swd)  is  true, 

known ( insecure, pas 8 word, for, adams )  is  true, 

knowndnsecure, password,  for,  farmer)  is  true, 

known  (insecure,  pas  sword,  f  or,  gr£Qiam)  is  true, 

known (insecure, pas sword, for, smith)  is  true, 

mail (brown, root, 2382, bad (bb, tom) )  is  true, 

mail (root, root, 5 6 9, Captain  Flash  strikes  again!!!!)  is  true, 

found(file, aa, on, backup, tape)  is  true, 

fo\md(file,bb, on, backup, tape)  is  true, 

found ( file, cd, on, backup, tape)  is  true, 

found(file, Is, on, backup, tape)  is  true, 

compared ( file, cd, for, Trojem  Horse,with,cd, on, backup, tape)  is  true, 
and  conpared(file, Is, for, Trojan  Horse, with, Is, on, backup, tape)  is  true. 
Select  an  action:  change  password  for  smith 
You  chose  to  change  password  for  smith. 

OK. 

Congratulations!  You  have  done  the  job. 

The  session  is  over.  Do  "go."  to  restart. 

yes 

I  7-  statistics. 


memory  (total) 

2222560 

bytes : 

1043272  in  use. 

1179288 

free 

program  space 

912208 

bytes 

global  space 

65532 

bytes : 

28472  in  use. 

37060 

free 

global  stack 

26344  bytes 

trail 

40  bytes 

system 

2088  bytes 

local  stack 

65532 

bytes : 

648  in  use. 

64884 

free 

local  stack 

624  bytes 

system 

24  bytes 

17.000  sec,  for  0 

global  and 

26  local 

space  shifts 

0.000  sec.  for  0  garbage  collections  which  collected  0  bytes 
33.583  sec.  runtime 


I  7-  halt. 
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